How to have multiple logins with ASP.Net?

Question

I'm working on a website with an internal and an external section.

The users for both sections are different so they require a different login page. I wanted to configure the authentication differently for both folders, but ASP.Net but it's not allowed.

Example (in my main web.config):

<authentication mode="Forms">
    <forms loginUrl="~/Pages/Internal/Main.aspx" defaultUrl="~/Pages/Internal/Main.aspx" cookieless="UseDeviceProfile" name=".ApplicationAuthenticatedUser" path="/" protection="All" slidingExpiration="true" timeout="45"/>
</authentication>

And in the external subfolder, I try to overwrite the settings:

<authentication mode="Forms">
    <forms loginUrl="~/Pages/External/Default.aspx" defaultUrl="~/Pages/External/Default.aspx" cookieless="UseDeviceProfile" name=".ApplicationAuthenticatedUser" path="/Pages/External" protection="All" slidingExpiration="true" timeout="45"/>
</authentication>

However this gives me an error.

I tried putting both of them in their subfolders but I get the same error, the authentication configuration section must be set at the application level (I'm guessing that means the root web.config).

---

A possible solution is to centralize the login page and redirect depending on where the request came from, if it came from an external page, send it to the external login page, otherwise to the internal one.

It would work, but if it's possible I'd like the solution where I can configure this in the web.config.

Thanks

Answer 1

I am confused? Why two user data stores? I understand internal versus external, but if this is the same application, you can assign roles to give more permissions to your internal users. In addition, you can allow your internal users to access the site from home without VPN.

Even so, if you must have two stores, your best bet is duping the application. It can be the exact application, but you put it on one internal server and one external. Then you can authenticate the users at different locations. Note, however, that you still need roles, unless you are kludging up the application.

If you need to authenticate against two stores, you can do it with a custom provider. The ASP.NET login model allows for custom providers and it is very easy to build one: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx http://msdn.microsoft.com/en-us/library/aa479048.aspx

Now, if you must redirect to different pages (you are stuck in this model for some reason?), you can possibly do it by IP address. It is likely your internal network uses a 10 dot or 192 dot IP scheme. If so, those addresses get transfered to internal. The rest to external. This will require you setting up something that does the redirect. I know you can do this on the login page, if not with an HTTP Handler.

This seems like an awful lot of work, however. I still do not see the picture of why you have to accomplish the task in this manner.

Answer 2

If you can run as two different IIS applications then you can have different authentication providers (or different instances of the same provider... possibly using the same database with the application attribute on the provider to distinguish).

But different web apps means no shared state (Application and Session) and duplicating the install. For an intranet/internet this would allow the external deployment to not include components that no internet user can access (and thus improve security by reducing surface area).

Otherwise you might need a custom authentication provider that forwards to one of the built in ones depending on who is logging in.

Answer 3

If your your site is a single web application, you could probably use the ASP.NET Role Provider model for that, having two roles, one for internal and one for external pages (you can configure that pr. folder with the <location> configuration element).

For more information, see http://msdn.microsoft.com/en-us/library/9ab2fxh0.aspx

Answer 4

I have a simple way of handling this that might be of use to somebody. I basically want to be able to use the same code for a guest login and a registered user. I also have a mobile version of the website that I want to send to a different login page when the authentication ticket expires.

Probably not the most elegant solution, but simple enough:

    Public Sub btnSubmit_Click(ByVal sender As Object, ByVal e As EventArgs)
        If Page.IsValid Then
            Dim userLogin As String = ""

            userLogin = System.Guid.NewGuid.ToString
            FormsAuthentication.RedirectFromLoginPage(userLogin, False)
            ' place a url param throughout my app, only four pages so no 
            ' big problem there in this case g stands for guest           
            Response.Redirect("menu.aspx?m=g", False)

        End If
End Sub

Then, in Global.asax:

    Protected Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs)

        If Not Request.IsAuthenticated And _
(Not Request.RawUrl.ToLower.Contains("guestlogin.aspx")) And _
(Not Request.RawUrl.ToLower.Contains("registeredlogin.aspx")) And _
(Not Request.RawUrl.ToLower.Contains("mobilelogin.aspx")) Then
            Response.Redirect("spLogin.aspx?m=" & Request.QueryString("m"))
        End If

    End Sub

Then, in your login page (the one specified in your Web.config):

        Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            If Not Page.IsPostBack Then
    if request.querystring("m")="g" then
                    Response.Redirect("guestlogin.aspx?m=g")

    elseif  request.querystring("m")="r" then
                    Response.Redirect("registeredlogin.aspx?m=r")
    elseif  request.querystring("m")="m" then
                    Response.Redirect("mobilelogin.aspx?m=m")

end if
End If
End Sib