Simple ASP.Net Forms Authentication - Part: 1

Forms authentication is one of the ways to authenticate users. This type of authentication is used for applications accessed over internet for general users (non-employees), like a web portal. A typical web application has three types of web pages. 1)Pages for all users. Generally home page, demo ect 2)Pages for registerd users 3)Pages for admins Example is, Amazon.com or Dell.com. They have pages that you can just browse. Then to buy, you need to login. Also, they have admins who add/modify items with quantity, price on the websites. To achive forms authentication, there are four steps 1)Configure Web.config: a)Specify Login Url b)Specify the 'registered users only' section. c)Specify the 'admin users only' section 2)Create Login page 3)Associate roles to the authenticated user in Global.asax file. Typical roles like 'Member', Admin', 'SuperAdmin'. It is upto the site developers to associate each user to one or more roles in the database. Web.config: Specify login url. Let all users have access to all the pages.
<authentication mode="Forms"/>
 <forms
  name="myLoginCookie"
  loginUrl="Login.aspx"
  protection="All"
  timeout="30"
 />
</authentication>
<authorization>
 <allow users="*"/>
</authorization>
<allow users="*"/> At this, we want all users to have access to entire website. This below, we write code that restricts non-registered users to some sections of the site. Web.config: Specify the pages to be protected. It is good idea to put all the protected paged in a new folder. The following setting protects "Members" folder from non-authenticated users
<location path="Members">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</location>
<deny users="?"/> Denies access to all the non-login users. Since no roles are specified, all login users will be able to navigate to pages with in Members folder. Web.config: Allow Admin folder only for admins
<location path="AdminPages">
 <system.web>
  <authorization>
   <allow roles="Admin,SuperAdmin"/>
   <deny users="*"/>
  </authorization>
 </system.web>
</location>
<deny users="*"/> Denies pages in AdminPages folder to every one, including users who are logged in, except if the users belong to Admin or SuperAdmin Roles. In the webpages, the access to Admin and SuperAdmin Roles can be controlled checking by built in code User.IsInrole("SuperAdmin"). Putting all together:
<configuration>
 <system.web>
  <authentication mode="Forms"/>
   <forms
    name="myLoginCookie"
    loginUrl="Login.aspx"
    protection="All"
    timeout="30"
   />
  </authentication>
  <authorization>
   <allow users="*"/>
  </authorization>
 <system.web>
 
 <location path="Members">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
 </location>

 <location path="AdminPages">
  <system.web>
   <authorization>
    <allow roles="Admin,SuperAdmin"/>
    <deny users="*"/>
   </authorization>
  </system.web>
 </location>
</configuration>