When creating a website which needs security for certain areas (or all areas) developers have always had a number of choices. One is to use the built in IIS standard of Windows authentication, however this can be a little difficult if you don't have full access to the sever your application is running on. This leaves most developers having to design and implement their own security methods, often for every site they create.
Forms-based authentication is an ASP.NET authentication service that enables applications to provide their own logon UI and do their own credential verification. ASP.NET authenticates users, redirecting unauthenticated users to the logon page, and performing all the necessary cookie management.
Forms authentication also allows:
Management of users and their passwords in the web.config file, thus eliminating the need for database based credential storage.
Encryption for users passwords
Cookie data protection
Cookie expiration timeout specification
Page or directory based security attributes. i.e allow all users to see Default.aspx but only signed in users to participate in the chat forum.
To use Forms Based Authentication:
Modify your Web.config file to include the following (please excuse the br's):
<![CDATA[<authentication mode="Forms">]]>
<![CDATA[ <forms name="FBAuth" loginUrl="logon.aspx" path="/" protection="All" timeout="1">]]>
<![CDATA[ <credentials passwordFormat="SHA1">]]>
<![CDATA[ <user name="Tris" password="AC2B12B76A945DD9FDD7E58FBDD010D5AFA10F33"/>]]>
<![CDATA[ </credentials>]]>
<![CDATA[ </forms>]]>
<![CDATA[ </authentication>]]>
<![CDATA[ <authorization>]]>
<![CDATA[ <deny users="?" />]]>
<![CDATA[ </authorization>]]>This tells ASP.NET to use Forms authentication, and that it should deny access to all users that are not signed in. As a result all users will be directed to the specified login page "login.aspx" for authentication.
By including the following code in your login buttons on click event, ASP will attempt authenticate the user details specified against the credentials specified in the Web.config file, and if successful, create a cookie and redirect the user to the page they originally requested:
<![CDATA[ private void cmdLogin_Click(object sender, System.EventArgs e)]]>
<![CDATA[ {]]>
<![CDATA[ if (FormsAuthentication.Authenticate(txtUser.Text, txtPass.Text))]]>
<![CDATA[ {]]>
<![CDATA[ FormsAuthentication.RedirectFromLoginPage(txtUser.Text,true);]]>
<![CDATA[ }]]>
<![CDATA[ else ]]>
<![CDATA[ {]]>
<![CDATA[ lblBadLogin.Text = "Invalid Username or Password! Try again:";]]>
<![CDATA[ }]]>
<![CDATA[ }]]>When a user whishes to sign out, you can just call
<![CDATA[FormsAuthentication.SignOut();]]>ASP.NET will then manage the removal of the clients cookie.
It is also possible to specify access permissions for particular files and folders if required, ensure the following config settings are added after the existing
<![CDATA[</system.web>]]>in your Web.config
<![CDATA[ <location path="default1.aspx">]]>
<![CDATA[ <system.web>]]>
<![CDATA[ <authorization>]]>
<![CDATA[ <allow users ="*" />]]>
<![CDATA[ </authorization>]]>
<![CDATA[ </system.web>]]>
<![CDATA[ </location>]]>This will allow all users to access "default1.aspx" even if they are not signed in. You can specify files or folders in the
path parameter and can use
allow or
deny in conjuntion with *, or ?.
? meaning not signed in and * meaning everyone.
ASP.NET Forms Authentication is extremely easy to implement and use, and should put and end to the authentication hell of previous web development.
Posts
No comments:
Post a Comment