On smaller projects, maybe for internal usage, you want to protect a page with a username and password. Below is an easy way you can protect a page (or pages / folders) using a user and pass (kept in the web.config for easy access). This method uses forms authentication but doesn’t require a database or other source for user details since a single user is just stored in the web.config.
You’ll basically need to.
- Create a login page (simple .aspx page)
- Modify your web.config
Let’s start with your web.config. Below are the areas you’ll want to add:
A user / pass key:
<appSettings> <add key="adminUsername" value="admin"/> <add key="adminPassword" value="sosecure"/> </appSettings>
And add the authorization settings to system.web in your web.config:
<authentication mode="Forms"> <forms name=".SIMPLEAUTH" loginUrl="login.aspx" protection="All" path="/" timeout="30" /> </authentication> <authorization> <allow users = "*" /> </authorization>
And add a new location spot in your web.config to project your page. In my case, I’m locking down a page called “admin.aspx” – change to whatever your page is named.
<location path="admin.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="admin" />
</authorization>
</system.web>
</location>
Now create your login.aspx login page:
<form id="form1" runat="server">
<fieldset>
<legend>Please Login:</legend>
<label for="txtUserName">Email:</label>
<input id="txtUserName" name="txtUserName" type="text" runat="server" />
<br />
<label for="txtUserPass">Password:</label>
<input id="txtUserPass" name="txtUserPass" type="password" runat="server" />
<br />
<label for="txtUserName">Stay Logged In:</label>
<asp:CheckBox ID="chkPersistCookie" runat="server" AutoPostBack="false" />
<br />
<asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="btnLogin_Click" /><p></p>
<asp:Label ID="lblMsg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat="server" />
</fieldset>
</form>
And in the code behind:
private bool ValidateUser(string userName, string passWord)
{
bool validPass = false;
if ((userName == WebConfigurationManager.AppSettings["adminUsername"].ToString()) && (passWord == WebConfigurationManager.AppSettings["adminPassword"].ToString()))
{
validPass = true;
}
return validPass;
}
protected void btnLogin_Click(object sender, EventArgs e)
{
if (ValidateUser(txtUserName.Value, txtUserPass.Value))
FormsAuthentication.RedirectFromLoginPage(txtUserName.Value,
chkPersistCookie.Checked);
else
userMsg("Incorrect user and / or password incorrect. Please try again.");
}
protected void userMsg(string msg)
{
lblMsg.Text = msg;
}
This is the bare minimum for securing your site but I hope you find this helpful.
If you’re concerned about the security of your web.config, you can encrypt parts of it.
Bonus: Below is the style I used for my form (I enjoy fieldsets) and looks decent and simple:
<style>
body
{
font-family: sans-serif, Arial, Helvetica, Verdana;
}
fieldset
{
padding: 1em;
}
legend
{
margin-bottom: .5em;
}
label
{
margin-right: 0.5em;
padding-top: 0.5em;
text-align: right;
font-weight: bold;
}
input
{
margin-bottom: .5em;
}
</style>
Chris Bitting 