Simple Single Page / Single User Forms Authentication without DB – C#

simple-loginOn smaller projects, maybe for internal usage, you want to protect a page with a username and password. Below is an easy way you can protect a page (or pages / folders) using a user and pass (kept in the web.config for easy access). This method uses forms authentication but doesn’t require a database or other source for user details since a single user is just stored in the web.config.

You’ll basically need to.

  1. Create a login page (simple .aspx page)
  2. Modify your web.config


Let’s start with your web.config. Below are the areas you’ll want to add:

A user / pass key:

    <add key="adminUsername" value="admin"/>
    <add key="adminPassword" value="sosecure"/>

And add the authorization settings to system.web in your web.config:

<authentication mode="Forms">
  <forms name=".SIMPLEAUTH" loginUrl="login.aspx"
  protection="All" path="/" timeout="30" />
  <allow users = "*" />

And add a new location spot in your web.config to project your page. In my case, I’m locking down a page called “admin.aspx” – change to whatever your page is named.

 <location path="admin.aspx">
    <deny users="?" />
    <allow users="admin" />

Now create your login.aspx login page:

    <form id="form1" runat="server">

            <legend>Please Login:</legend>
            <label for="txtUserName">Email:</label>
            <input id="txtUserName" name="txtUserName" type="text" runat="server" />
            <br />
            <label for="txtUserPass">Password:</label>

            <input id="txtUserPass" name="txtUserPass" type="password" runat="server" />
            <br />
            <label for="txtUserName">Stay Logged In:</label>

            <asp:CheckBox ID="chkPersistCookie" runat="server" AutoPostBack="false" />
            <br />
            <asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="btnLogin_Click" /><p></p>
            <asp:Label ID="lblMsg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat="server" />

And in the code behind:

private bool ValidateUser(string userName, string passWord)
    bool validPass = false;

        if ((userName == WebConfigurationManager.AppSettings["adminUsername"].ToString()) && (passWord == WebConfigurationManager.AppSettings["adminPassword"].ToString()))
            validPass = true;
  return validPass;


protected void btnLogin_Click(object sender, EventArgs e)
    if (ValidateUser(txtUserName.Value, txtUserPass.Value))
        userMsg("Incorrect user and / or password incorrect. Please try again.");

protected void userMsg(string msg)
    lblMsg.Text = msg;


This is the bare minimum for securing your site but I hope you find this helpful.

If you’re concerned about the security of your web.config, you can encrypt parts of it.

Bonus: Below is the style I used for my form (I enjoy fieldsets) and looks decent and simple:

 font-family: sans-serif, Arial, Helvetica, Verdana;

 padding: 1em;

 margin-bottom: .5em;

 margin-right: 0.5em;
 padding-top: 0.5em;
 text-align: right;
 font-weight: bold;

 margin-bottom: .5em;
Simple Single Page / Single User Forms Authentication without DB – C#

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s