Listing 5. managerLogin.aspx

 
<%@ Page Language="C#" ContentType="text/html" ResponseEncoding="iso-8859-1" %>
<%@ Register TagPrefix="MM" Namespace="DreamweaverCtrls"
Assembly="DreamweaverCtrls,version=1.0.0.0,publicKeyToken=836f606ede05d46a,culture=neutral" %>
 

The Page_Load function below checks whether the user is already authenticated and a member of the manager role. The Request.IsAuthenticated property returns true if the ticket exists. It doesn't automatically check the role information, though, so do that next.

 
<script runat="server">
protected void Page_Load(Object Src, EventArgs E)
{
   if (Request.IsAuthenticated)
   {
      // User is already authenticated.  Now get the user's role info.
      FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(Request.Cookies["SECAUTH"].Value);      
      if (ticket.UserData == "manager")
      {
         // Manager role so redirect to manager's index page.
         Response.Redirect("/manager/index.aspx");
      }
      else
      {
         // The authenticated user does not have the manager role so redirect to home page.
         Response.Redirect("/");
      }
   }
}
</script>
 

The Login_Click function is the event handler for the asp:button's OnClick event. It is almost identical to the section in the member's login.aspx Page_Load function. The differences are as follows:

  • The name of the dataset with the username and password info is DS_managerLogin.
  • The role in the FormsAuthenticationTicket is "manager" instead of "member."
  • The Login_Click function redirects to the manager's index page rather than the member's index page.
 
<script runat="server">
void Login_Click(Object sender, EventArgs E) 
{
   // authenticate user
   if (   (username.Value == DS_managerLogin.FieldValue("username",null)) && 
      (password.Value == DS_managerLogin.FieldValue("password",null)))
   {
      // The user has been authenticated as the website manager.      
      // Create and use the forms authentication ticket.
      FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, 
            Request.Form["username"],    // get the username from the form
            DateTime.Now,    // issue time
            DateTime.Now.AddMinutes(30),    // expires in 30 minutes
            false,    // not persistent
            "manager");    // role assignments gets stored in the UserData

      // Create the (encrypted) cookie.
      HttpCookie cookie = new HttpCookie(   FormsAuthentication.FormsCookieName, 
                  FormsAuthentication.Encrypt(ticket) ); 

      // Add the cookie to the list for outbound response.
      Response.Cookies.Add(cookie);
      
      // Don't call the FormsAuthentication.RedirectFromLoginPage since it would
      // replace the authentication ticket we just added.
      String returnUrl;
      if (Request.QueryString["ReturnURL"] == null)
      {
         returnUrl = "/manager/index.aspx";
      }
      else
      {
         returnUrl = Request.QueryString["ReturnURL"];
      }
      Response.Redirect(returnUrl);
   }
   else 
   {
      Msg.Text = "Invalid Username or Password: Please try again";
   }
}
</script>
 

The DS_managerLogin dataset exhibits these properties:

  • The manager table in the database has a single row corresponding to the single manager login account.
  • The Expression causes the dataset to be executed only if the page has been submitted. This makes sense since it takes the form variables as parameters for the CommandText's SQL statement.
 
<MM:DataSet 
id="DS_managerLogin"
runat="Server"
IsStoredProcedure="false"
ConnectionString='<%# System.Configuration.ConfigurationSettings.AppSettings["MM_CONNECTION_STRING_security"] %>'
DatabaseType='<%# System.Configuration.ConfigurationSettings.AppSettings["MM_CONNECTION_DATABASETYPE_security"] %>'
CommandText='<%# "SELECT username, password FROM manager WHERE  username=@username AND password=@password" %>'
Expression='<%# IsPostBack %>'
Debug="true"
> 
  <Parameters> 
    <Parameter  Name="@username"  Value='<%# ((Request.Form["username"] != null) && (Request.Form["username"].Length > 0)) ?       Request.Form["username"] : "" %>'  Type="VarChar"   /> 
    <Parameter  Name="@password"  Value='<%# ((Request.Form["password"] != null) && (Request.Form["password"].Length > 0)) ?       Request.Form["password"] : "" %>'  Type="VarChar"   /> 
  </Parameters>
</MM:DataSet>

<MM:PageBind runat="server" PostBackBind="true" />
 

Next comes the HTML portion of the managerLogin.aspx page:

 
[Insert managerLogin.jpg]
 

This page looks almost identical to the member's login page; the main difference is that an asp:button is used instead of input tags (with type=image and runat=server) for the Login and Cancel buttons.

 
<html>
<head>
<title>Manager Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<form runat="server">
 <table border="0" align="center" cellpadding="5" cellspacing="0">
    <tr bgcolor="#0000FF" class="bodyText"> 
      <td colspan="2" align="center" valign="top" > 
        <font color="#FFFFFF"><b>Manager login</b></font>
     </td>
    </tr>
    <tr class="bodyText"> 
      <td>Username:</td>
      <td>
          <input id="username" type="text" runat=server/>
     </td>
    </tr>
    <tr class="bodyText"> 
      <td>Password:</td>
      <td>
      <input id="password" type=password runat=server/>
     </td>
    </tr>
    <tr> 
      <td colspan="2" align="center"> 
      <asp:button text="Login" OnClick="Login_Click" runat=server/>
      </td>
    </tr>
    <tr> 
      <td colspan="2" align="center"> 
      <asp:Label id="Msg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat=server />
      </td>
    </tr>
  </table>
</form>
</body>
</html>