check if user logged in asp.net in all pages of the project

Question

I have 2 webfor I want user to login through the loginsp.aspx page and when enter the correct username and password redirect to userhome.aspx. now if user logged out and copy the url of userhome.aspx I need redirect user to loginsp.aspx

1- loginsp.aspx

cmd.Connection = cn;
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@vtxtUser", txtUser.Text);
cmd.Parameters.AddWithValue("@vtxtPass", txtPass.Text);
cn.Open();

if(cmd.ExecuteScalar()!=null)
{
    Session["user_name"] = txtUser.Text;
    Response.Redirect("~/authorized/userhome.aspx");
}
else
{                
    lblMsg.Text = "wrong login";
}

2-userhome.aspx

  protected void Page_Load(object sender, EventArgs e)
        {
            string vUser = Session["user_name"].ToString();
            if (vUser != "")
            {
                lblUser.Text = x;
            }else{
                Response.Redirect("~/loginSP.aspx");
            }
        }
        protected void LinkButton1_Click(object sender, EventArgs e)
        {
            Session.Clear();
            Response.Redirect("loginsp.aspx");
        }

Answer 1

you should use this code on page load event of all pages

if(Session["user_name"]==null)
{
Response.Redirect("~/loginSP.aspx");
}

its working fine

Answer 2

As you are not using ASP.NET Membership for your application and using custom implementation for authentication and authorization of users.

I would have used following approach if I were you.

1. Create a base page for pages you want to allow only authenticated users to access.
2. Create a session variable for storing information for user login.
3. Check in base page if user is authenticated or not.
4. If user is authenticated allow him to view page, else redirect to login page.

Advantage of this approach would be. 1. Central logic to handle if user should be allowed to view page or should be redirected to login page at one place. 2. New pages can use this Base Page class as their base class to allow authenticated access to your users. 3. You can make page publicly accessible or authenticated access to page only by removing base class of the page.

Hope this helps.

Thanks.

Answer 3

You need to subclass AuthorizeAttribute and override its implementation to check for a user the way you want.

public class MyCustomAuthorize : AuthorizeAttribute
{
    protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
    {
        string vUser = httpContext.Session["user_name"].ToString();
        if (vUser != "")
        {
            return true; // yay user found
        }
        return false; // user not found, this will cause the redirection to kick in
}

Now in your web config you can specify where you want them to be redirected.

<authentication mode="Forms">
      <forms name="yourAuthCookie" loginUrl="~/loginSP.aspx" protection="All" slidingExpiration="true" timeout="60" />
    </authentication>

Now you can just use the attribute on your page.

[MyCustomAuthorize] // any page with this attribute will first check if they are loggged in
public partial class Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
    }
}