When using Forms Authentication, redirecting the user to default.aspx after login is usually good enough. In some cases, we may want to redirect the user to a page other than default.aspx. Such cases may include redirecting the user to a page based on role membership, or to force a password change after an initial login. Fortunately, versions 1.1 and 2.0 of the .NET Framework have built-in functionality for doing this.
The standard method to call after a successful Forms Authentication login is RedirectFromLoginPage(). This method creates the Forms Authentication Ticket, adds the encrypted cookie to the Response object, and redirects the user. If the user had originally requested another page, the redirection will be to that page; otherwise it will be to default.aspx. When using ASP.NET 1.1, you can instead redirect the user to a specific page with the following code:
Listing 1: SetAuthCookie
'Validate User Login Information first
'If the user login information is valid
The second parameter of the SetAuthCookie method specifies whether or not the cookie should be persistent. You would set this parameter to true so that users don’t have to log in with each visit. SetAuthCookie creates a basic FormsAuthenticationTicket for the supplied username, and adds the ticket to the cookies collection of the Response object. Read more about SetAuthCookie method on MSDN.
If you need to add custom user data to the ticket, do not use the SetAuthCookie method. Instead, you’ll need to create a custom FormsAuthenticationTicket, add the ticket to the cookies collection of the Response object, and then call the Response.Redirect method.
The code shown in Listing 1 will also work in ASP.NET 2.0, which is very useful as it allows you to redirect users on a conditional basis. A new Forms Authentication property has been introduced in version 2.0 of the Framework, which will set the default redirect page. In the Web.config file, you can specify a defaultUrl property as shown below:
Listing 2: defaultUrl in Web.config
<forms loginUrl="member_login.aspx" defaultUrl="index.aspx" />
When called in ASP.NET 2.0, the RedirectFromLoginPage() method will now redirect the user to the page specified in the defaultUrl property (or default.aspx if no defaultUrl is specified), if the user had not initially requested another page. You still have the option of using the code in Listing 1 to redirect special cases as well. Read more about the defaultUrl property on MSDN.
Please note that this code was written for the Beta 2 version of the 2.0 Framework, and there may be changes in the production version of the Framework.