Session Authentication In ASP.NET

Session Authentication In ASP.NET

What is Authentication

Authentication is a process of identifying a person. It is commonly done through the use of login page which asks a user to enter his username and password. In ASP.NET websites you can do the authentication of a user by matching his user id and password with the one stored in the database. If both his username and password matches only then he is allowed to view secured areas of the website.

In this tutorial we will show how to do Session Authentication. When he is authenticated we store a key named ‘Authenticate’ with value ‘true’ in the session variable. This key is checked in all the secured pages, if it does not contain true value in secured pages then the user is redirected to the login page.

HTML Of the Login Page

In our login page we have two textboxes one for ‘User Name’ and other for ‘Password’. There is a submit button in the end on whose click event our authentication code runs. The label ‘lblMsg’ is used to show the authentication message.

User Name
Password

The click Event of the Submit Button

In the click event of the button we are passing the username and password typed in the textboxes to the stored procedure named ‘sp_AuthenticateUser’. The work of this stored procedure is to match the username and password in the database. It they matches message ‘Authentication Successful’ is shown in the message label and a Session key ‘Authenticate’ is created and he is redirected to the secured page.

protected void submitButton_Click(object sender, ImageClickEventArgs e)
    {
        SqlConnection conn = new SqlConnection();
        conn.ConnectionString=ConfigurationManager.ConnectionStrings["OtcCS"].ConnectionString;
        SqlCommand cmd = new SqlCommand("sp_AuthenticateUser", conn);
        cmd.CommandType = CommandType.StoredProcedure;
        cmd.Parameters.Add("@UserName", SqlDbType.VarChar, 100);
        cmd.Parameters.Add("@password", SqlDbType.VarChar, 50);
        cmd.Parameters.Add("@msg", SqlDbType.VarChar, 50);  
        cmd.Parameters["@UserName"].Value = txtUserName.Text;
        cmd.Parameters["@password"].Value = txtPassword.Text;
        cmd.Parameters["@msg"].Direction = ParameterDirection.Output;
        conn.Open();
        int i = cmd.ExecuteNonQuery();
        conn.Close();
        string msg = cmd.Parameters["@msg"].Value.ToString();
        lblMsg.Text = msg;
        if (msg == "Authentication Successful")
        {
            Session["Authenticate"]="true";
            Response.Redirect("securedpage.aspx");
        }
    }

The Stored Procedure which check the Username and Password

CREATE proc [dbo].[sp_Authenticate]
@UserName varchar(100),
@password varchar(50), 
@msg varchar(50)=null output

AS
declare @rowcount  int
select @rowcount=count(*) from AdminUser where [email protected] and cast(password as varbinary)=cast(@password as varbinary)

IF @rowcount <> 0
BEGIN
 SET @msg = 'Authentication Successful'
END
ELSE
BEGIN
	SET @msg = 'Invalid LoginId or Password'
END

Note that the usernames and passwords are stored in the database table ‘AdminUser’. It has just two columns which are given below.

1. UserName             varchar(100)

2. Password                varchar(50)

Secured Pages

It should be noted that we also check the value of the session key in all our secured page so that user does not simply type the secured page url and access it. To do this – In the Page Load event of our secured pages add the following code.

protected void Page_Load(object sender, EventArgs e)
{
    if (Convert.ToString(Session["Authenticate"]) !="true")
    {
        Response.Redirect("~/login.aspx");
    }
}

Thus in this way you can easily do Session Authentication in Asp.Net.

Share this article -

yogihosting

ABOUT THE AUTHOR

This article has been written by the Technical Staff of YogiHosting. Check out other articles on "WordPress, SEO, jQuery, HTML" and more.

Enter your email address

Subscribe to this blog and receive notifications of new posts by email. Join over 81,000 other subscribers

Don't worry we won't spam.

subscribers