Roles authentication is not working in asp.net

I am using the code below to access a page base based upon user authentication

if (user.FirstOrDefault() == HashedPassword)
{
    string roles = "Member";

    // Create the authentication ticket
    FormsAuthenticationTicket authTicket = new
        FormsAuthenticationTicket(1,                          //  version
       开发者_如何学运维                           loginName.Text,             // user name
                                  DateTime.Now,               //  creation 
                                  DateTime.Now.AddMinutes(60),// Expiration
                                  false,                      //  Persistent
                                  roles);                     // User data

    // Now encrypt the ticket.
    string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
    // Create a cookie and add the encrypted ticket to the
    // cookie as data.
    HttpCookie authCookie = 
                new HttpCookie(FormsAuthentication.FormsCookieName,
                               encryptedTicket);
    // Add the cookie to the outgoing cookies collection.
    Response.Cookies.Add(authCookie);

    Response.Redirect("/Members/ClientAccount.aspx");    
}
else
{
    Response.Redirect("signin.aspx");
}

}

The user is getting directed to ClientAccount.aspx if the login details are correct but I want that to happen only if his/her role is set as Admin as shown in the web.config file below .

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <location path="members.aspx">
        <system.web>
            <authorization>
                <allow roles="Member" />
                <allow roles="Admin" />
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
    <location path="ClientAccount.aspx">
        <system.web>
            <authorization>                    
                <allow roles="Admin" />
                <deny roles="Member"/>
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
</configuration>

How do I make this happen ?

I guess the web.config file is not looking at the cookie to do the authorization so I am doing something wrong there.

---

Double check your location path relative to the web.config, my guess is that is the problem.

<location path="/Members/ClientAccount.aspx">
    ...
</location>

Of course you'll need to do something else instead of this line, you were just doing this for testing I'd assume?

 Response.Redirect("/Members/ClientAccount.aspx");    

i.e. redirect them to a page you know they're not allowed to hit. I figure you're going to beef that part up once you're sure its not allowing members to access that page.

You should make sure your web.config has the following tag:

<authentication mode="Forms" />

You need to configure it right, there are lots of options:

<authentication mode="Forms">
    <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH" 
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
</authentication>

http://msdn.microsoft.com/en-us/library/ff647070.aspx

---

hey there, did you mean to have

<deny roles="Member"/>

right now, the deny policy really doesn't need the member role listed. If you are wanting member to also be allowed to that page, you will need to swap out the deny, to allow:

<authorization>
  <allow roles="Admin" />
  <allow roles="Member"/>
  <deny users="?" />
</authorization>