Rufus,
Here is the core logic of my login.aspx page. It does what you want.
If you goto the login.aspx page while already logged in, it will log you
out. (This is a nice feature, so that you can have a "sign out" link on
every page)
If you go directly to the login.aspx page (before being logged in), it
redirects you to page of choice after logging in. (mine happens to be
"hours.aspx")
If you do login succesfully, then attempt to go to page your are not
autherized to go to, it will redirect you back to the login page and explain
why. (cool)
If you attempt to go to a page before logging in it will (of course)
redirect to login page, with an explanation of what happened. (normally I
have the error message commented out, since users already undestand they
need to login before using site)
Hope this isn't information overload, but there is a lot of useful stuff
going on here that I wanted to share. :^)
PS: My login.aspx page mimics hotmail's login; it has a "don't remember
username on public computer" feature. (It did have a remember password
checkbox also, but that is commented out here.)
If anything is not clear, just ask!
Greg
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
If Not Page.IsPostBack Then
Dim returnUrl As String = Request.QueryString("ReturnUrl")
If Not (returnUrl = Nothing) Then
' Is the user currently authenticated??
If User.Identity.IsAuthenticated Then
' If YES, then they must be here because they attempted
to access a page
' that they do not have authorization to access
' throw them back to default, not where they were trying
to go
' do this in case cannot login with correct role...
ViewState("RedirectHome") = True
lblReason.Text = "You have arrived at the login page for
the following reason:<br><br>"
lblReason.Text &= "You are not in the correct role to
view the page that your were attempting to view.<br><br>"
Else
' If NO, then they must be here because they attempted
to access a page
' and they have not yet been authenticated
lblReason.Text = "You have arrived at the login page for
the following reason:<br><br>"
lblReason.Text &= "You are not currently
authenticated.<br><br>"
End If
Else
' returnURL is blank, user must have purposefully went to
login page
' if currently sign in, sign em out...
If User.Identity.IsAuthenticated Then
' Redirect to requested URL, or homepage if no previous
page requested
FormsAuthentication.SignOut()
' not running Session.Abandon(), Session.Clear() will
run if sucessful sign in occurs
' don't see need to do it...
'Session.Abandon()
'Response.Redirect("login.aspx")
End If
End If
' prefill username from previous login...
If Not Request.Cookies("RememberMe") Is Nothing AndAlso
Request.Cookies("RememberMe").Value = "1" Then
chkRememberMe.Checked = True
Request.Cookies.Remove("Username")
End If
If Not Request.Cookies("Username") Is Nothing Then
Dim sCookieValue As String =
Request.Cookies("Username").Value
txtUsername.Text = sCookieValue
SetFocus(txtPassword.ClientID)
Else
SetFocus(txtUsername.ClientID)
End If
End If
End Sub
Private Sub LoginClick()
If Not Page.IsValid Then Exit Sub
' Attempt to Validate User Credentials...
Dim EmpID As Integer = eTime.Security.Login(txtUsername.Text,
txtPassword.Text)
If EmpID > 0 Then
' don't do a Session.Abandon, that would get GetEmployeeDetails
to run twice
' once below and again in Session_Start
Session.Clear() ' clear any previous logins!!!
' Lookup the employee's full account details
Dim myEmpDetails As eTime.EmployeeDetails =
eTime.EmployeesDB.GetEmployeeDetails(EmpID)
Session("MyDetails") = myEmpDetails ' save it away!!!
If myEmpDetails.Disabled = True Then
ignoreconditionvalidator1.ErrorMessage = "This account has
been disabled."
ignoreconditionvalidator1.IsValid = False
Exit Sub
ElseIf myEmpDetails.ForcePWDChange = True Then
pnlLogin.Visible = False
pnlPWDChange.Visible = True
SetFocus(txtNew.ClientID)
' save EmpID in viewstate in case sits on change pwd page
longer than session timeout...
ViewState("EmpID") = EmpID
ViewState("PasswordHashWithoutSalt") =
eTime.Security.CreatePasswordHashWithoutSalt(txtPassword.Text)
Exit Sub
End If
Authenticate(EmpID, myEmpDetails.Roles)
Else
ignoreconditionvalidator1.ErrorMessage = "Invalid username or
password. Please try again."
ignoreconditionvalidator1.IsValid = False
SetFocus(txtPassword.ClientID)
End If
End Sub
Private Sub Authenticate(ByVal EmpID As Integer, ByVal Roles As String)
' Create a new ticket used for authentication
' Make the cookie persistent only if the user selects "persistent"
login checkbox
Dim ticket As FormsAuthenticationTicket = New
FormsAuthenticationTicket(1, _
EmpID.ToString, _
DateTime.Now, _
DateTime.Now.AddHours(12), _
False, _
Roles)
Dim cookie As HttpCookie = New
HttpCookie(FormsAuthentication.FormsCookieName)
cookie.Value = FormsAuthentication.Encrypt(ticket)
'If (chkRememberLogin.Checked) Then cookie.Expires =
ticket.Expiration 'not currently using this
Response.Cookies.Add(cookie)
If Not chkRememberMe.Checked Then
Dim cook1 As New HttpCookie("Username")
cook1.Expires = DateTime.MaxValue
cook1.Value = txtUsername.Text.ToLower
Response.Cookies.Add(cook1)
Else
Response.Cookies.Remove("Username")
End If
Dim cook2 As New HttpCookie("RememberMe")
cook2.Expires = DateTime.MaxValue 'now.AddDays(1)
If chkRememberMe.Checked Then
cook2.Value = "1"
Else
cook2.Value = "0"
End If
Response.Cookies.Add(cook2)
Dim returnUrl As String
' Redirect to requested URL, or homepage if no previous page
requested (returnURL = nothing when clicked on logout)
returnUrl = Request.QueryString("ReturnUrl")
If (returnUrl = Nothing) Or Not ViewState("RedirectHome") Is Nothing
Then returnUrl = "~\hours.aspx"
' Don't call FormsAuthentication.RedirectFromLoginPage since it
could
' replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl, False)
End Sub
Private Sub SetFocus(ByVal clientID As String)
Dim strjscript As String = "<script language=""javascript"">"
strjscript &= "document.getElementById(""" & clientID &
""").focus();"
strjscript &= "</script" & ">" 'Don't Ask, Tool Bug
Page.RegisterStartupScript("MYsetfocus", strjscript)
End Sub
