I have an ASP.NET website.
I want users who are not logged in to be automatically (re)directed to the login page, for example,
~/Account/Login.aspx
As it is now, users are able to visit pages (for example, default.aspx
) without being logged in.
Note: I am operating on the (perhaps incorrect) assumption that ASP.NET has its own authentication cycle that happens behind my back before every (and any) page loads.
Update @asawyer provided a link that, while not helping to answer the question, did provide a pretty graphic:
I have a web.config
file that enables Forms authentication:
<?xml version="1.0"?>
...
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" name=".ASPXFORMSAUTH" slidingExpiration="true"/>
</authentication>
...
</system.web>
...
</configuration>
When i browse to the "default" page, I am able to view it, for example,
GET http://localhost:53149/WebSite/ HTTP/1.1
Host: localhost:53149
And I'm get the page contents:
HTTP/1.1 200 OK
Server: ASP.NET Development Server/10.0.0.0
In other words, rather than being forced to login to the web-site, I am not being forced to log in to the web-site.
It might be related to the fact that my browser is running locally to the web-server; but I'm using Forms
, not Windows
(and not Passport
and not None
) authentication.
To redirect users to a specific page after login, you can simply add the redirect URL parameter in login form Shortcode. The redirect_url parameter allows you to redirect to a certain page after the user is logged in.
I found the answer.
Question: How do I automatically redirect non-logged in users to the login page?
Answer: Deny anonymous users access
In order to automatically redirect non-logged in users to login page, you need to deny anonymous access to "all" pages. This is done in the site's web.config
file:
web.config
<?xml version="1.0"?>
<configuration>
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
The special ?
token is used to represent anonymous users.
This, when combined with telling Forms authentication where the "Login" page is:
<?xml version="1.0"?>
<configuration>
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
means that any any anonymous users will be automatically redirected to the login page.
A question that seems to never have been asked before gets answered, and everybody lives.
If you wish to force for all pages all used to be first logged in, you can capture the authentication request on global.asax
and make this programmatically as:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// This is the page
string cTheFile = HttpContext.Current.Request.Path;
// Check if I am all ready on login page to avoid crash
if (!cTheFile.EndsWith("login.aspx"))
{
// Extract the form's authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
// If not logged in
if (null == authCookie)
// Alternative way of checking:
// if (HttpContext.Current.User == null || HttpContext.Current.User.Identity == null || !HttpContext.Current.User.Identity.IsAuthenticated)
{
Response.Redirect("/login.aspx", true);
Response.End();
return;
}
}
}
This code is called on every page and checks all pages on your site.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With