Restricting Login by IP Address in ASP.NET

Sandhiya Priya
2d
200
0
0
25
Blog

In many web applications, especially for sensitive areas like Admin Panels, we don’t want just anyone to access the login page.

Even if they have valid credentials, restricting access by IP address adds an extra layer of security.

In this post, I’ll show you how to allow login only from specific IP addresses using ASP.NET C# and web.config settings.

Why Restrict Access by IP?

Protects sensitive admin functionality from outside networks.
Limits exposure to brute-force or password-guessing attacks.
Helps in corporate environments where admins work from known locations.

Step 1. Store Allowed IP Addresses in web.config

Open your web.config file and add this under the <configuration> section:

<configuration>
  <appSettings>
    <!-- Comma-separated allowed IP addresses -->
    <add key="AllowedIPs" value="192.168.1.10,203.0.113.25,45.67.89.10" />
  </appSettings>
</configuration>

Notes

Multiple IPs are separated by commas.
You can add or remove IPs without touching the code — just update web.config.

Step 2. Check IP Address in Code-Behind

In your login.aspx.cs or any protected page’s code-behind:

using System;
using System.Configuration;
using System.Linq;
using System.Web.UI;

public partial class Admin_Login : System.Web.UI.Page
{
    protected void Go_Click(object sender, EventArgs e)
    {
        // Step 1: Get the client's IP address
        string ipaddress = Request.UserHostAddress.ToString();

        // Step 2: Get allowed IPs from web.config
        string allowedIPs = ConfigurationManager.AppSettings["AllowedIPs"];

        // Step 3: Convert string to array and trim spaces
        string[] ipList = allowedIPs.Split(',').Select(ip => ip.Trim()).ToArray();

        // Step 4: Check if IP is in the allowed list
        if (ipList.Contains(ipaddress))
        {
            // ✅ Allowed - Continue with login process
            Response.Redirect("dashboard.aspx");
        }
        else
        {
            // ❌ Not allowed - Show alert and stop
            string script = "alert('Access Denied! Your IP is not authorized to access this page.');";
            ScriptManager.RegisterStartupScript(this.Page, this.GetType(), "alertScript", script, true);
        }
    }
}

How It Works

Request.UserHostAddress retrieves the IP address of the user trying to log in.
The code reads the list of allowed IPs from web.config.
It splits the list into an array and trims any spaces.
If the user’s IP matches any of the allowed IPs → login proceeds.
If not → a JavaScript alert displays "Access Denied!" and stops the process.

Important Tips

When testing locally, you might see 127.0.0.1 (IPv4) or ::1 (IPv6 loopback address).
That’s normal for localhost — to test real IP restrictions, deploy to a server, or access from another device.
For cloud hosting (Azure, AWS, etc.), sometimes you’ll need to check headers, like "HTTP_X_FORWARDED_FOR" for the real client IP.
Keep the web.config secure, never expose it publicly.

Conclusion

Restricting access by IP address is a simple yet effective security enhancement for admin login pages in ASP.NET.

By keeping the allowed IP list in web.config, you can manage access without redeploying your application.