Simple Single Page / Single User Forms Authentication without DB – C#

simple-loginOn smaller projects, maybe for internal usage, you want to protect a page with a username and password. Below is an easy way you can protect a page (or pages / folders) using a user and pass (kept in the web.config for easy access). This method uses forms authentication but doesn’t require a database or other source for user details since a single user is just stored in the web.config.

You’ll basically need to.

  1. Create a login page (simple .aspx page)
  2. Modify your web.config

 

Let’s start with your web.config. Below are the areas you’ll want to add:

A user / pass key:

  <appSettings>
    <add key="adminUsername" value="admin"/>
    <add key="adminPassword" value="sosecure"/>
  </appSettings>

And add the authorization settings to system.web in your web.config:

<authentication mode="Forms">
  <forms name=".SIMPLEAUTH" loginUrl="login.aspx"
  protection="All" path="/" timeout="30" />
 </authentication>
 <authorization>
  <allow users = "*" />
 </authorization>

And add a new location spot in your web.config to project your page. In my case, I’m locking down a page called “admin.aspx” – change to whatever your page is named.

 <location path="admin.aspx">
  <system.web>
   <authorization>
    <deny users="?" />
    <allow users="admin" />
   </authorization>
  </system.web>
 </location>

Now create your login.aspx login page:

    <form id="form1" runat="server">

        <fieldset>
            <legend>Please Login:</legend>
            <label for="txtUserName">Email:</label>
            <input id="txtUserName" name="txtUserName" type="text" runat="server" />
            <br />
            <label for="txtUserPass">Password:</label>

            <input id="txtUserPass" name="txtUserPass" type="password" runat="server" />
            <br />
            <label for="txtUserName">Stay Logged In:</label>

            <asp:CheckBox ID="chkPersistCookie" runat="server" AutoPostBack="false" />
            <br />
            <asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="btnLogin_Click" /><p></p>
            <asp:Label ID="lblMsg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat="server" />
        </fieldset>
    </form>

And in the code behind:

private bool ValidateUser(string userName, string passWord)
{
    bool validPass = false;

        if ((userName == WebConfigurationManager.AppSettings["adminUsername"].ToString()) && (passWord == WebConfigurationManager.AppSettings["adminPassword"].ToString()))
        {
            validPass = true;
        }
  
  return validPass;

}

protected void btnLogin_Click(object sender, EventArgs e)
{
    if (ValidateUser(txtUserName.Value, txtUserPass.Value))
        FormsAuthentication.RedirectFromLoginPage(txtUserName.Value,
            chkPersistCookie.Checked);
    else               
        userMsg("Incorrect user and / or password incorrect. Please try again.");
}

protected void userMsg(string msg)
{
    lblMsg.Text = msg;
}

 

This is the bare minimum for securing your site but I hope you find this helpful.

If you’re concerned about the security of your web.config, you can encrypt parts of it.

Bonus: Below is the style I used for my form (I enjoy fieldsets) and looks decent and simple:

 <style>
 body
 {
 font-family: sans-serif, Arial, Helvetica, Verdana;
 }

 fieldset
 {
 padding: 1em;
 
 }

 legend
 {
 margin-bottom: .5em;
 }


 label
 {
 margin-right: 0.5em;
 padding-top: 0.5em;
 text-align: right;
 font-weight: bold;
 }

 input
 {
 margin-bottom: .5em;
 }
 </style>
Simple Single Page / Single User Forms Authentication without DB – C#

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s