Authentication and authorization are critical components of web application security. In ASP.NET Web Pages, you can implement these features using built-in mechanisms such as Forms Authentication and role-based authorization.

1. Authentication

Authentication is the process of verifying the identity of a user. ASP.NET Web Pages supports Forms Authentication, which allows users to log in using a username and password.

Step 1: Configure Forms Authentication

To enable Forms Authentication, you need to configure it in the Web.config file. Here’s an example configuration: 

        
            <configuration>
                <system.web>
                    <authentication mode="Forms">
                        <forms loginUrl="Login.cshtml" timeout="30" />
                    </authentication>
                </system.web>
            </configuration>

Step 2: Create a Login Page

Create a login page (e.g., Login.cshtml) where users can enter their credentials. Here’s a simple example: 

        
            @{
                if (IsPost)
                {
                    var username = Request.Form["Username"];
                    var password = Request.Form["Password"];
                    
                    // Validate credentials (this is a simplified example)
                    if (username == "admin" && password == "password")
                    {
                        // Set authentication cookie
                        FormsAuthentication.SetAuthCookie(username, false);
                        Response.Redirect("Home.cshtml");
                    }
                    else
                    {
                        <p>Invalid username or password.</p>
                    }
                }
            }
            <form method="post">
                <input type="text" name="Username" placeholder="Username" required />
                <input type="password" name="Password" placeholder="Password" required />
                <button type="submit">Login</button>
            </form>

2. Authorization

Authorization determines whether a user has permission to access a resource. In ASP.NET Web Pages, you can restrict access to certain pages based on the user's authentication status or roles.

Step 1: Restrict Access to Pages

You can restrict access to a page by checking if the user is authenticated. Here’s an example of how to do this in a protected page (e.g., Home.cshtml): 

        
            @{
                if (!User .Identity.IsAuthenticated)
                {
                    Response.Redirect("Login.cshtml");
                }
            }
            <h2>Welcome to the Protected Page!</h2>
            <p>This content is only accessible to authenticated users.</p>

Step 2: Role-Based Authorization

If you want to implement role-based authorization, you can assign roles to users and check their roles before granting access to certain resources. 

        
            @{
                // Example roles (in a real application, roles would be stored in a database)
                var userRole = "Admin"; // This would typically come from your user management system

                if (userRole != "Admin")
                {
                    Response.Redirect("AccessDenied.cshtml");
                }
            }
            <h2>Admin Dashboard</h2>
            <p>This content is only accessible to users with the Admin role.</p>

3. Logout Functionality

To allow users to log out, you can create a logout page (e.g., Logout.cshtml) that clears the authentication cookie. 

        
            @{
                FormsAuthentication.SignOut();
                Response.Redirect("Login.cshtml");
            }

Conclusion

Implementing authentication and authorization in ASP.NET Web Pages is straightforward using Forms Authentication and role-based checks. By following the steps outlined above, you can secure your web application and ensure that only authorized users can access specific resources. This enhances the overall security of your application and protects sensitive data from unauthorized access.