C# cookie based authorization

Question

I am implementing C# authorization using jquery cookies for my page. I set/encrypt username and password in the cookie and in my admin page, if I recognize cookie, then the user is authorized. If not, he gets redirected to the login page. The problem is, that cookie is read after page is loaded, so I can manually hit admin page and only in couple seconds it will get redirected. How do I prevent loading admin page for visitors, who have no cookie yet? What is a correct architecture for cookie based authorization?

Note: I am not using ASP.NET roles or User tables. I implemented my own tables for users.

Answer 1

I suspect that you're re-inventing the wheel. You don't have to use the Membership Provider and ASP.Net membership schema in order to take advantage of forms authentication. When the user logs in, simply drop the Auth Ticket (cookie) on them and you're done. You can then simply do the admin check on the admin page.

Some suggestions below...

Edit: I originally posted a means of storing roles in the Auth Ticket via UserData, but I think it's overkill for this situation.

Web.config:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="30" slidingExpiration="true" />
</authentication>
. . .
<membership>
  <providers>
    <clear />
  </providers>
</membership>

Post login: When the user submits their username and password, validate them and check to see if they are an admin:

if (UserIsValid(username, pwd)) // some validation call
{
    FormsAuthentication.SetAuthCookie(username, true);
}

Admin.aspx: Finally, a quick hack to restrict access to an admin page. When the page loads, check that the user is / is not an admin:

if (!IsAdmin(User.Identity.Name)) // some admin call
    Response.Redirect("Default.aspx");

Answer 2

The problem is, that you use client side code for your security check. If someone would disable JavaScript completely, he would never be redirected. Move the check to your server side code.