Redirecting a user after login to a C# ASP .NET web application is a common feature found in most web applications. It’s also quite common to have multiple types of users logging into the ASP .NET web application, differing by the type of role membership they belong to, and each requiring a redirect to their specific landing page. While this can certainly be achieved with a couple of Response.Redirect() calls, you can create a much more robust automatic redirect-by-role solution.
This article describes how to automatically redirect users upon login, based upon their role membership. Since the list of redirect URLs may change frequently, we’ll store them conveniently within the web.config configuration file. New user roles and redirect URLs can be added without recompilation of the C# ASP .NET web application.
When thinking about redirecting users after login, based upon their role, the first way of implementing this is to create a couple of if/then and Response.Redirect statements, as follows:
However, what happens when we need to add another login redirect to the system for a new role type? We would have to edit the if/then block, add a new conditional, and re-compile the web application. Eventually, this can create a mess. Consider the following:
As you can tell, the list isn’t looking pretty. We can actually break this down into a much more clean system by pulling out the decision logic in the if/then statements and moving it to the web.config, where we can quickly and easily change it, without re-compiling or changing code.
We’ll start off by defining the list of URLs that our users will be redirected to, based upon their role membership. The URLs will be listed in the web.config, for easy modification at a later time. This decouples the list of URLs from the web application source code and allows us to quickly add new roles and login redirects on the fly. The web.config redirect login block appears as follows:
Notice in the above web.config section, we’ve defined a custom section block named loginRedirectByRole. This block holds a list of roleRedirects. The roleRedirects list functions in the same way as adding connection strings to your web.config. In this manner, it should be extrememly easy to add and remove roles and login redirects.
Each item added to the roleRedirects list consists of a role name and a URL. In the example above, we’ve defined two roles: Administrator and User, which automatically redirect to their own landing page after login. It’s important to note that the redirected pages exist in their own sub-folders, separated by role. This is important so that you can create separate web.config files to restrict security to those folders by role. For example, the ~/User/ folder contains the following web.config file:
Only users who contain the role User will be allowed to access this folder. Similarly, the ~/Admin/ folder contains the following web.config file:
Only users who contain the role Administrator will be allowed to access this folder. You could easily expand the roleRedirects list as requried, depending on the different user roles your ASP .NET web application may contain.
Since we’ve created a custom configuration section in the main web.config, we’ll also need to define the configuration section tag in the configSections area of your main web.config as follows:
The changes we’ve made to the project’s main web.config file, thus far, would appear as follows:
We’ve now defined the web.config structure for holding the login redirect URLs. Next, we can move on to creating the code to handle it.
With the web.config custom configuration section defined, we now need to create a custom configuration section reader class to obtain the list of login redirects and provide easy access. We can do this by creating the following class:
Note the above code is a standard definition of a web.config custom configuration section. The structure follows that defined in the web.config. With this class defined, we’ll be able to access the roleRedirects list by calling myConfigSection.RoleRedirects.
We’ve completed the web.config declarations and have created the custom configuration section to read it. We can now create the actual method which determines the redirect page based upon the logged in user’s role.
The above code simply instantiates the custom configuration section to obtain the list of login redirect URLs. It then compares the currently logged-in user’s role to those listed in the web.config. When it locates a matching role, it redirects the user to the designated landing page. If a user happens to belong to more than one role, the user will be redirected to the first matching role’s landing page. In this manner, you can list higher priority roles at the top of the web.config list. For example, an Admin user can belong to the User role and the Administrator role, so that he can access both areas of the application. Since his role is listed first in the web.config, he’ll be redirected to the ~/Admin/ page, which is probably the expected landing page, even though he is also a member of the User role (which redirects to ~/User/).
We’ve now completed the framework for automatically redirecting users, upon login, based upon their role. However, we still need to add the code which calls our RedirectLogin method. The location of this call depends on the type of login mechanism that you’re using.
The most common method of logging a user in is by using the standard ASP .NET Login control. When using the Login control, you’ll have a control tag as follows:
Notice in the above code, we add a handler for the OnLoggedIn event. This allows us to know when the user has completed logging into the web application so that we can automatically redirect him to the proper landing page, as follows:
If you’re using your own login control you can utilize the same redirect function call, but placed within the area after you validate and create the authentication ticket cookie.
In either case, after the user has been successfully logged in, and his roles have been populated, you can call the RedirectLogin() function, as shown above, to begin the redirect.
If you are using the standard ASP .NET Login control, you will need to also define a Membership Provider and a Role Provider, as found in this article.
Download complete project source code.
Redirecting users, upon login, based on their role can be as simple as adding a few if/then statements and a Response.Redirect call. However, by decoupling the decision logic from your C# ASP .NET web application code and moving it into the web.config, you can help create a much more efficient, robust, and extensible system. By separating user landing pages by sub-folder and restricting permissions by role, we can safely designate landing pages by role membership and help achieve a more seamless experience for the user.
This article was written by Kory Becker, founder and chief developer of Primary Objects, a software and web application development company. You can contact Primary Objects regarding your software development needs at http://www.primaryobjects.com