This is really nice tutorial for secure login. I need help regarding how to use role and membership in asp.net without using aspnet.mdf.

Yes you can have your customized way of handling it.  if you want to have it in your way, try to have a customized database.

Eg: here is a very simple example for you to get an idea..

User table has userid, username and etc

Role table has role id and etc

user_role table has userid, roleid and etc

jitendramcu:

 This is really nice tutorial for secure login. I need help regarding how to use role and membership in asp.net without using aspnet.mdf.

Hey,

Yes instead of using the basic database in app_data you can use sql server.

To setup asp.net application services on sql server you can use aspnet_regsql.exe.

I have written a tutorial for doing it via the commandline here:

• http://runtingsproper.blogspot.com/2009/08/using-aspnetregsql-via-command-line-to.html
  

however you might just want to run the app directly and use the visual windows wizard front end.

TATWORTH:

I need to be able to block non-admins from using the site by an administrator making a change within the database and not by changing the web.config in the users folder. Conversely when the lock-out period is over, the administrator needs to be be able to allow normal user access to resume just by means of an administrator option. The site administrators are quite non-technical and hence changing any of the sub-directory web.configs is not an option.

guenavan:

I could not understand:
- why through making change in the database?
- why subdirectory web.config?

There are periods of operation when only administrators should have access to the site. At the end of this period, normal operation needs to be restored without making any change other than the in the database.

TATWORTH:

guenavan:

I could not understand:
- why through making change in the database?
- why subdirectory web.config?

There are periods of operation when only administrators should have access to the site. At the end of this period, normal operation needs to be restored without making any change other than the in the database.

I didn't realise you were still looking for a solution to this! A couple of ways you could do this off the top of my head:

Handle the logging in event of your login control and check to see if the user is admin or not and if the site is in lock down mode.

Create a custom membership provider that handles the lock down by overriding the IsApproved flag of the user to return false during periods of lockdown

TATWORTH:

There are periods of operation when only administrators should have access to the site.
At the end of this period, normal operation needs to be restored without making any change other than the in the database

guenavan:

I cannot understand why editing of web.config files of subdirectories could have possibly be engaged for this

You can have individual authorization sections in sub-folders by putting web.configs in them and listing the access levels inside the .config.

A technical user could edit a file and enable them to block off access to a folder but what Tatworth is saying is that he needs a solution that doesn't involve that because the websites admins are not that technical.

For single sign on you just need to  put the "machine key" tag in web.config using same key in both application

<