interview

home / developersection / interviews / how do you implement role-based, using forms authentication and the authorize attribute, web.config?

Ask Question

How do you implement role-based, using Forms Authentication and the Authorize attribute, Web.config?

ICSM Computer 169 02-Jun-2025
c# c#  authentication 
Updated on 02-Jun-2025
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

02-Jun-2025

To implement role-based authorization using Forms Authentication, you can control access by assigning roles to users and then:

  1. Using the [Authorize(Roles = "...")] attribute (in ASP.NET MVC or Web API), or
  2. Declaring role restrictions in the web.config file (for Web Forms or general path-based protection).

Step-by-Step Guide

Step 1: Assign Roles to the User on Login

When authenticating a user, create a FormsAuthenticationTicket and embed roles in the ticket:

Example (Login Code - Global.asax or Auth Controller)

string[] roles = { "Admin", "Manager" }; // Roles from DB
string userData = string.Join(",", roles); // Store roles in ticket

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,
    username,
    DateTime.Now,
    DateTime.Now.AddMinutes(30),
    false,
    userData // ← roles here
);

string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
Response.Cookies.Add(cookie);

Step 2: Extract Roles on Each Request (Global.asax)

Hook into Application_AuthenticateRequest to extract the roles from the cookie and assign them to the current principal:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
    HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
    if (authCookie != null)
    {
        FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.Value);
        string[] roles = ticket.UserData.Split(',');

        var identity = new FormsIdentity(ticket);
        var principal = new GenericPrincipal(identity, roles);
        Context.User = principal;
        Thread.CurrentPrincipal = principal;
    }
}

Option 1: Use [Authorize(Roles = "...")] (MVC/Web API)

Use the [Authorize] attribute to restrict controllers or actions:

[Authorize(Roles = "Admin")]
public ActionResult AdminPanel()
{
    return View();
}

[Authorize(Roles = "Admin,Manager")]
public ActionResult Reports()
{
    return View();
}

Option 2: Use <authorization> in web.config

Use this for restricting folders/pages (Web Forms or static files):

<location path="Admin">
  <system.web>
    <authorization>
      <allow roles="Admin" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

You can also restrict specific pages:

<location path="Reports.aspx">
  <system.web>
    <authorization>
      <allow roles="Manager,Admin" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

Summary

Method Usage
FormsAuthenticationTicket Embed roles in ticket via UserData
Application_AuthenticateRequest Extract and assign roles on every request
[Authorize(Roles = "...")] Role-based access for MVC/Web API
web.config <authorization> Role-based access for static pages or folders

 

advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy