I have a website in C# where users are authenticated to a SQL database via login control. Everything is working fine currently as I'm using the web.config to to direct to the Login.aspx page if the user isn't logged in. What I would like to do though is access the login controls from another page but additionally pass another parameter.
So for example...
The web.config has the following:
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx" loginUrl="~/Login.aspx" slidingExpiration="true" timeout="20"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
The Login.aspx page looks like the following
protected void LoginControl_Authenticate(object sender, AuthenticateEventArgs e)
{
bool authenticated = this.ValidateCredentials(LoginControl.UserName, LoginControl.Password);
if (authenticated)
{
FormsAuthentication.RedirectFromLoginPage(LoginControl.UserName, LoginControl.RememberMeSet);
}
}
private bool IsAlphaNumeric(string text)
{
return Regex.IsMatch(text, "^[a-zA-Z0-9-]+$");
}
private bool ValidateCredentials(string userName, string password)
{
bool returnValue = false;
if (this.IsAlphaNumeric(userName) && userName.Length <= 25 && password.Length <= 50)
{
string sqlConn = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
using (SqlConnection sqlConnection1 = new SqlConnection(sqlConn))
{
using (SqlCommand cmd = new SqlCommand())
{
cmd.CommandText = ("ValidateUser");
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("LoginName", userName.Trim());
cmd.Parameters.AddWithValue("LoginPass", HashData.HashString(password.Trim()));
cmd.Parameters.AddWithValue("Type", "Read");
cmd.Connection = sqlConnection1;
sqlConnection1.Open();
if (cmd.ExecuteScalar() == null)
{
returnValue = false;
}
else
{
returnValue = true;
}
}
}
}
return returnValue;
}
}
Now what I would like to do is utilize the same login control across other pages so that I can see if the same user is logged in but pass a different "Type" parameter such as "Edit".
So the way I would like it to work is this... The users accesses the site and is redirected to the Login.aspx page. The login control runs my stored procedure verifying they are "Read" type and redirects them to the Default.aspx. From here a user can click an Edit button. Once they do, the same login control would check if they have "Edit" rights by running the same stored procedure but instead passing that as the "Type" parameter. At this point if the results are false the user would be prompted to login if their current rights don't allow it, or the page would just load if the current user has those rights. Is there a way to do what I"m looking for or would I need to just user either multiple login controls or different folder structure and do this all with web.config?
Problem solved...
What I ended up doing was to let the login control authorize a user with the lowest level rights. When a user attempts to access a page that requires higher rights, I'm first checking if
if (User.Identity.IsAuthenticated == true)
If true, then I run a new query that checks if User.Identity.Name is of the correct "Type".