Securing your web site using session

Friday, November 7, 2008

When using Asp.net , there is many ways to secure your web site pages . you can use Windows authentication , Or Forms Authentication services.

Through asp.Net forums, I noticed that there is many developers trying to use the session to secure there web sites.they are doing this by storing some flag in the session , like storing the username , so that they can check this value in the pages to make sure that the user is logged in.

Note: I recommended to not use the session to secure the web site , because session will timeout , and so your users will need to login on every timeout period ( 20 minutes by default) . also when using the session , you will need to manually manage the user roles , while you don't have to worry about that if you used Membership Services.

However, if you still want to use the session ,I will show you how to correctly implement that using a custom base page class .

Note: The Base Class will contains the required checks , and so you need to change your pages to inherit from this custom class instead of inheriting from "System.Web.UI.Page" class which is the Default class for ASPX pages.

Ok , Take a look at the Base Page class Below :

    6 /// <summary>

    7 /// this page will be used as a basePage class for all pages that needs to be secured .

    8 /// so if you want to make some pages secured ,

    9 /// just let them inherit from this class instead of directly  inheriting from System.Web.UI.Page

   10 /// </summary>

   11 ///

   12 public class SecuredPage : System.Web.UI.Page

   13 {

   15     protected string LoginUrl

   16     {

   17         get { return "~/Login.aspx"; }

   18     }

   20     // return true if the current page is the Login Page .

   21     private bool IsLoginPage

   22     {

   23         get {

   24             return VirtualPathUtility.GetFileName(Request.Path).ToLower() ==

   25                 VirtualPathUtility.GetFileName(LoginUrl.ToLower());

   26         }

   27     }

   29     // Property to get/set the UserName from/in the session

   30     private const string UserNameKey = "UserName";

   31     protected string  UserName

   32     {

   33         get

   34         {

   35             return Convert.ToString(Session[UserNameKey]);

   36         }

   37         set {

   38             Session[UserNameKey] = value;

   39         }

   40     }

   42     protected string DefaultPage

   43     {

   44         get {

   45             return "Default.aspx";

   46         }

   47     }

   48     protected void RequestLogin()

   49     {

   50         string CurrentUrl = Request.RawUrl;

   51         Response.Redirect(LoginUrl + "?ReturnUrl=" + Server.HtmlEncode( CurrentUrl));

   52     }

   54     // use this method to redirect the user after sucessfull login ,

   55     // this method will make sure that the user will get redirected to the original url  that was on .

   57     protected void RedirectFromLoginPage(string TargetUrl)

   58     {

   59         if (! string.IsNullOrEmpty(UserName))

   60         {

   61             if (Request.QueryString["ReturnUrl"] != null)

   62             {

   63                 Response.Redirect(Request.QueryString["ReturnUrl"]);

   64             }

   65             else

   66                 Response.Redirect(TargetUrl);

   67         }

   68     }

   70     // you can just call this method , it will automatically redirect to default page ,

   71     protected void RedirectFromLoginPage()

   72     {

   73         RedirectFromLoginPage(DefaultPage);

   74     }

   76     protected override void OnInit(EventArgs e)

   77     {

   78         // if the user is not logged in  , redirect  to Login Page

   79         if (string.IsNullOrEmpty(UserName) && !IsLoginPage)

   80             RequestLogin();

   81         // this needed to initialize its base page class

   82         base.OnInit(e);

   83     }

   84 }

To Use the above class, change your pages to inherit from it, then in the login page , you can handle the Authenticate event for your login control like this :

   18     protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)

   19     {

   20         bool Authenticated = true;

   21         Authenticated = ValidateLogin(Login1.UserName, Login1.Password);

   22         if (Authenticated)

   23         {

   25             // store the user name in the session

   26             UserName = Login1.UserName;

   27             // use this method instead of directly calling response.redirect ,

   28             // because this method will remember the previous page that the user requested ,

   30             RedirectFromLoginPage();

   31         }

   32     }

   34     private bool ValidateLogin(string UserName, string Password)

   35     {

   36         // here you need to check the entered user and pasword ,

   37         //you may need to check the users table in the database ..

   38         //Authenticated= UserBLL.ValidateUser(Login1.UserName, Login1.Password);

   39         // for this  , demo lets just use User:admin and password:admin

   41         // again , instead of this code , you must validate your users based on database or else.

   42         return UserName == "admin" && Password == "admin";

   43     }

Note: RedirectFromLoginPage() method will make sure to send the user back to the page that he/she was on .

I created a demo website that will show you how to use the SecuredPage class in your website , you can download the demo [here].

Hope it helps.

Anas Ghanem

The fact that it times out it's actually a good thing. We also use a custom role/permission system that is type safe (i.e. doesn't use strings) so it fits well with this model. For session time-outs we implement a light AJAX ping back to the server every few seconds, so as long as the browser is not closed it never times out. This also allows us to display a message to the user if the ping fails -- either the box is down, we uploaded something so their session was killed, etc. This way they can know that submitting the current form will fail.

Peter - Friday, November 7, 2008 11:31:35 PM

Anas:
i dont use any login control, i have windows authentication so in this scenario how would you deal with securing the web page? any thoughts?
thanks.

nisarkhan - Thursday, November 13, 2008 8:50:14 PM

How about logout?
can u tell me how to remove or break the session after logout?

pls email me: chunwei87@hotmail.com

Thx for ur help ^^

Tan - Tuesday, June 16, 2009 7:38:24 AM

To logout , you just call Session.Abandon() method which will clear the user session.

anas - Tuesday, June 16, 2009 7:43:41 AM

ok..but after i have try, it work
Now i have a problem which the user click "Back" button after logout, he/she still can saw the last page before logout, anything can avoid this happen?

Tan - Tuesday, June 16, 2009 8:27:20 AM

>>Now i have a problem which the user click "Back" button after logout, he/she still can saw the last page before logout, anything can avoid this happen?
---------

Hi Tan,
This is a caching issue, the browser is caching the web page and when you press back button , you will see a cached version.

To stop that behaviour, you can place the following line of code in the page_load of anypage that you don't want it to get cached on the client browser:

Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);

anas - Tuesday, June 16, 2009 9:12:41 AM

Thx alott Anas, that help me, Not suffering anymore.

Dani AM - Thursday, March 11, 2010 9:44:43 PM

how to use the password textbox in usecontrol because it indicates as a read only property

RAJA.P - Tuesday, May 18, 2010 11:44:12 AM

Thank you anas, am working on my senior project and your blog really helped me. God bless you my friend.

Moayad M. - Saturday, June 5, 2010 5:26:45 AM

9 Comments