can u have multiple login pages using forms authentication?

Question

User1191045453 posted
I am trying to create a website that will allow users to login, as well as admin staff. Is it possible to have two separate login pages (one for users, and one for admin) using forms authentication? So far I have created separate login pages for both user, and admin, and both work fine. The only problem I have is that when a user try’s to access a restricted admin page they are redirected to the user login page, rather than the correct admin login page. All my admin pages are in a separate directory from the rest of the website. Do I have to modify the web.config in the admin directory to redirect to a different login page? Thanks for your help Michael

Answer 1

User-181010142 posted
Why do you need more than one logon page? You should be able to use a single logon page, but have different security/access settings on different areas of your site. This article gives an idea of what I mean: http://www.orcsweb.com/articles/security2.aspx

Answer 2

User-1827453801 posted
No u cant. And there are good reasons for having muliple login pages. I'm writing an application with "participants" and "users" which authenticate against a different db table and have a seperate UI style. I "simulated" this by checking to see what folder i'm in and checking against the appropriate source ie if (Request.QueryString["ReturnUrl"].ToLower().IndexOf("/cmg/participant/") != -1){ CMGLibrary.Participant[] participant = ParticipantMapper.SelectByEmail(LoginIdentifier.Text); if (participant.Length == 1 && participant[0].Password == Password.Text.Trim()){ FormsAuthentication.RedirectFromLoginPage(participant[0].ID.ToString(), false); } else Feedback.Text = Res.GetString("AuthFailed"); } else{ CMGLibrary.User[] newUser = UserMapper.SelectByIdentifier(LoginIdentifier.Text); if (newUser.Length == 1 && newUser[0].Password == Password.Text.Trim()){ FormsAuthentication.RedirectFromLoginPage(newUser[0].ID.ToString(), false); } else Feedback.Text = Res.GetString("AuthFailed"); } Not to glamourous, i'll admit but it's (pseudo) infinately extendable. But I should point out that because both auth pages will store auth information in the same cookie, you can only be authenticated against one ... thing... at a time. I have this in my global.asax to force the app to re-request authorisation whenever the user switches from one section to another. HttpApplication app = (HttpApplication) sender; if (context == null) initContext(); try{ if (app.Request.IsAuthenticated && app.User.Identity is FormsIdentity){ if (app.Request.Url.Segments[2].ToLower() == "participant/"){ CMGLibrary.Participant oParticipant = (CMGLibrary.Participant)((ParticipantMapper)context[typeof(ParticipantMapper)]).Find(long.Parse(User.Identity.Name)); app.Context.User = new GenericPrincipal(new GenericIdentity(oParticipant.ID.ToString()), new string[] {"Participant"}); } else{ CMGLibrary.User oUser = (User)((UserMapper)context[typeof(UserMapper)]).Find(long.Parse(User.Identity.Name)); app.Context.User = new GenericPrincipal(new GenericIdentity(oUser.ID.ToString()), new string[] {oUser.UserRole.RoleName}); } } } catch (NullReferenceException){ app.Context.User = null; } hope this is useful, it's the only way I could think of to get around asp.net limitations. I can't really understand why U can't define authentication (other than access lists) in sub directories. Alternatively u could make ur sub folders Applications in their own right but this is soooooo not preferable, 'specially if u've got some slick templating system in place GL :D

Answer 3

User661594866 posted

 i'm having the same problem...

I am trying to create a website that will allow users to login, as two groups Employee and Employer . Is it possible to have two separate login pages using forms authentication? I've two SubFolders Employee and Employer in main application ..can i've two login page for these subfolders..

 

plz specify setting in web.config

Answer 4

User-1827453801 posted

This post is 5 years old lol.

Why do you want two login pages? Do you want a different appearance for the two types of users? Can you not just associate the various user's with an Employee or Employer role?

 

(theres no setting in web.config to do this) 

Answer 5

User661594866 posted

hai

                  I want two different login pages...having different  themes..If  i  use  a  single login page,...how can i differenciate employer and employee?

should i check 2 tables(employee table and employer table)  for this.

 

                  plz help me
 

 

Answer 6

User-1827453801 posted

If a user navigates to a protected area how will the application know which login page to display? How are you expecting to control this?

Answer 7

User661594866 posted
for eg: if some one requests a protected page in the Folder Employee , he should be directed to login page of emplyee...For three sub Folders there should be three login pages..is it possible..

Answer 8

User-1827453801 posted

Ok, all that crap is usually done inside the FormsAuthenticationModule. I'd suggest just writing your own httpmodule and accompanying configuration section handler.

Hook up to the appropriate event (AuthenticateRequest i think). Check the configuration information from your configurationsection handler and then redirect users to the appropriate login page based on the url path requested. It's a bit of work, not too bad. It'd be a handy component...

Another cheap & nasty way may be to just have your login page inspect the returnUrl querystring parameter and apply a different theme to the login page based on the contents of the returnUrl.
 

Answer 9

User661594866 posted

 is it possible to include 3 login pages in a single application..How plz explain ...i'm a new comer to .net

Answer 10

User1656371023 posted

The smart way to do this is to use the autentication and roles and membership system built into asp.net, and do not try to invent your own.

 

Have one login page.

Assign employees to an "employee" role.

Limit access to certain folders to employee role only, with a few lines in the web.config file.

 

Then when employees login they will be able to access pages in the employee only folder, when customers login they will not be able to see the employee pages.

 

Very good tutorials about all that stuff here http://asp.net/learn/security/

 

Answer 11

User661594866 posted

 any way i want 3 login pages for three different groups...Is there any solution with 3 login pages..Why asp.net doesn't allow  different

<authentication> elements in different locations..

for eg:

 <configuration>

<location path=Sub1>

<system.web>

<authentication mode="Forms">

<form loginurl="login1.aspx >

</authentication>

 </system.web>

</location>

 

<location path=Sub2>

<system.web>

<authentication mode="Forms">

<form loginurl="login2.aspx />

</authentication>

 </system.web>

</location>

 

this produces an error  

Error    1    It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.  This error can be caused by a virtual directory not being configured as an application in IIS.    F:\Authentication\Web.Config   

 

 

any help
 

 

Answer 12

User1656371023 posted

I think the answer is that ASP.NET will allow you to do that, if you really want to, but you will have to do more work and write more and solve more problems yourself.

You can have as many login pages as you like, all different. But until the user logs in, you don't know which one he or she is supposed to use.

If you just use the standard stuff, it will be easy to control access to different parts of the site using roles and "allow" or "deny" in the web.config and web.sitemap.

 

But anyway, if I had a customer that really really wanted to pay extra for separate login pages, I would try this way:

 

When the user tries to go to a page and is not logged in or does not have the correct role, he gets redirected to the standard login page - always the same one.

But he is sent to the login page with the returnurl - the page he was trying to reach - in the query string, so that after he has logged in he will be sent back to that page.

You can read that in page_load of the login page, like this

if (!string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]) ....

 

So you could look at that query string and say,

if he wanted to go to adminpage.aspx I will send him to adminLoginpage.aspx

if he wanted to go to shoppage.aspx I will send him to shoppingLoginPage.aspx

and so on.

 That way the standard login page would never be displayed, it does not even need to be a real login page, the user gets sent to a different login page before anything shows on the screen.

I have not tried this, so no promises, but I think it would work.

 

 

The obvious snag is,  you do not know whether the user will be able to login on that page. All you know is he was trying to view a page in that area. If he has not logged in yet, you do not know if he is allowed to access that page or not, and so you do not know which login page he should really use.

 

Answer 13

User661594866 posted

what do u mean by that..

                                           in the page_load event of login page

             if (!string.IsNullOrEmpty(Request.QueryString["ReturnUrl"])

                    {

                          Response.Redirect(Request.QueryString["ReturnUrl"]);

                    } 

 

i got a window with 

The page cannot be displayed

 

 ie whenever i redirect to requested page, it again get redirected to Login Page...Is there any soultion to this...
 

 

 

Answer 14

User1656371023 posted

I am guessing here, because you have not told us much about what you are doing.

 

The little piece of code you showed us, is that on your login page?

 If it is, it llooks like  the user tried to go to page X, which he could not view because he was not logged in, so he was redirected to the login page?

But you have redirected him back to the same page he came from, without logging him in first?

But if he couldn't get to that page before, he can't get to it now, so he bounces back again?

Maybe you really wanted to redirect him to a different login page first, not back to where he came from? 

 

Do you have roles set up, and allow/deny in web.config, that stopped the user getting to the page he wanted?

Or do you have a web.sitemap with roles required, that prevented the user accessing the desired page?

If you have created multiple login pages, you need to allow all users including anonymous users to access the additional login pages, or else they will be bounced back to the main login.

 

 

 

Answer 15

User661594866 posted

I have created multiple login pages, and i've allowed all users including anonymous users to access the additional login pages.

But actually asp.net doesn't recognize these login pages (ie: multiple login pages)  as login pages..that is the problem with me.

 

The problem comes ....since the access to other pages are restricted to authenticated users, it is not possible to navigate to those pages...Again there will  be a redirection to Main Login page....Since asp.net allow only a single login page, the multiple login pages can't authenticate the user.

 

Are u able to understand my English?

 

 

 

Answer 16

User1656371023 posted

Your english is good, that is no problem.

ASP.NET does let you have more than one login page -  you can put the login controls on as many pages as you want.

But when a user tries to access a page without authorisation, ASP.NET will redirect him to login.aspx.

As far as I know, you cannot change that behaviour to send him to a different page atomatically.

But it is possible to write code to catch the user when he arrives at the login.aspx page, and send him on to another page.

You must make sure the user has permission to view the page you send him to, if you want him to be able to login there, or he will be sent straight back to login.aspx again.

 

That is why I asked whether you have set permissions  for folders or pages using "allow" and "deny" in web.config files? Or with "roles" in web.sitemap?

If you do have a Deny="*" or deny="?" for the folder that your SpecialLogin.aspx is in, you need to set allow"*" for that single page in web.config, so that the user can view it.

 

One other thing I found out: the Return=url parameter is ignored by the login controls if not on the login.aspx page. So in a SpecialLogin.aspx page, you might want to write code to redirect the user after he has logged in.

Answer 17

User661594866 posted

 !!! u say... ASP.NET does let you have more than one login page -  you can put the login controls on as many pages as you want.

 

How can u set more than one login page...This is my problem...

 

I have  set permissions  for folders or pages using "allow" and "deny" in web.config file. But the problem is ..I can't set multiple login pages in

the web.config file..Can u help me? 

Answer 18

User1656371023 posted

  But the problem is ..I can't set multiple login pages in the web.config file..

 Did you set ' allow users="?" ' for each of your login pages, so that users can get to them before they are logged in?

 

Answer 19

User608566161 posted

Can i use log in control and then it will search in different datasource instead of the default log in control.

Scenario :

   Regular Employee will use the default log in control and it will search asp.net configuration.

   and then Nurse Employee will also use log in control but it will use different data source.

I am using a Vb.net 2005 and sql server 2008.

Thanks for the help,

Goi

 

Answer 20

User-1827453801 posted

This post is dead. Start a new post.

 

I dont think you can, however I have never bothered examining membership providers and the like.

Answer 21

User608566161 posted

Hi Worldsspawn do you have a sample code for a simple portal .. thanks :)

Answer 22

User-1267303818 posted

This is possible, you just have to convert Sub1 and Sub2 from virtual folder to Applications in IIS. This is the same message you are getting from your error message as well.