Suggestion: login.aspx references

Jun 3, 2010 at 3:55 PM

The <authentication mode="Forms">section in the web.config specifies loginUrl="~/login.aspx"; however, that page name is an obvious target for hacks. I renamed mine and hid the login button but found that the string "login.aspx" is hardcoded in login.aspx.cs, site.master.cs and a few other controls; so the web.config change conflicted.

I created an extension method:

//=========================================================================================
/// <summary>Retrieves the current FormsAuthentication login page</summary>
/// <param name="context">The <see cref="HttpContext"/>.</param>
//=========================================================================================
public static string LoginPage(this HttpContext context)
{
	//=== if the HttpContext is null, something is wrong ===
	if(null == context) { return(String.Empty); }

	string __result = System.Web.VirtualPathUtility.GetFileName(System.Web.Security.FormsAuthentication.LoginUrl);
	return(__result);
}

And then replaced all "login.aspx" strings with this.Context.LoginPage() so that any change to the web.config loginUrl is global.