The following describes the easiest way I have found to force users to log into an ASP.NET website for each session but not require them to accept cookies. You must do the following things.
- Create a Web.config file with the appropriate entries to allow session state management.
- Create a well formed Global.asax file with the code below included in it.
- Create a login page to authenticate users against a database or whatever method you desire.
' Fires when the session is started and sets the default loggedin state to "" Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs) Session("Loggedin") = "" CheckLoggedIn() End Sub
' Called when the request has been process by the Request Handler and ' HttpSessionState is available [This is the key piece of code that forces ' the user is login check with each page request] Sub Application_OnPostRequestHandlerExecute() CheckLoggedIn() End Sub
'Check that the user is logged in. Sub CheckLoggedIn() 'If the user is not logged in and you are not currently on the Login Page. If Session("LoggedIn") = "" And InStr(Request.RawUrl, "Login.aspx") = 0 Then Response.Redirect("~/Login/Login.aspx") End If End Sub
Finally create a Login.aspx file that authenticates the user. If the user is allowed in, set:
Session("Loggedin") = "Yes"
That's all there is to it. Hope this helps! Enjoy!