| Using Forms Authentication in ASP.NET - Part 1 By Jeff Gonzalez |
- <script language="JavaScript" type="text/javascript"> document.write("print this article
- email this article to a colleague
- suggest an article
Introduction
Classic ASP developers often had to "roll their own" authentication scheme, however, in ASP.NET much of the grunt work has been taken out. This article outlines how things have changed and how FormsAuthentication can be used to secure a Web site with a minimal amount of code. In classic ASP, authentication was pretty much all or nothing. Either you were using integrated security (often referred to as the Microsoft Windows NT LAN Manager [NTLM] challenge/response authentication protocol ), Basic (referred to as clear text), or you had created your own type of authentication. This was often an arduous task. Forms Authentication allows developers to store the authentication information, such as username and password, in the Web.config file, or you can still use your own method, such as a database, eXtensible Markup Language (XML) file, or text file. The great thing about forms authentication is you no longer have to program the state-tracking portion. ASP.NET does it for you!
Forms authentication uses cookies to allow applications to track users throughout their visit. The way ASP.NET handles forms authentication is probably very similar to the methods you have used in classic ASP. When a user logs in via forms authentication, a cookie is created and used to track the user throughout the site. If the user requests a page that is secure and has not logged in, then the user will be redirected to the login page. Once the user has been successfully authenticated, he/she will be redirected to their originally requested page.
Standard Forms Authentication Setup
Pages used: Default.aspx, Login.aspx, Web.config In the standard method of Forms Authentication, all user information is stored in the Web.config. Create a folder named standardForms under your webroot. Make this folder an application inside the Internet Services Manager. (This should be familiar territory if you ever used the Global.asa in ASP.)
Web.config Overview
The Web.config contains all of the configuration settings for an ASP.NET application. The idea is to put the control of the Web application in the hands of the developer rather than the system administrator. There are lots of options you can use here. This article details only the ones specific to Forms Authentication today.
Web.config Code Using the Standard or "Credentials" Method
Authentication
Credentials
Authorization
Web.config Code
Web.config Details
Inside the Web.config above we have configured several options. Authentication Remember, if you are going to have multiple applications on the same machine, it's suggested that you use unique names for your cookies. Next, we set the path to the root of the application. We assign the loginUrl attribute a local page named loginUrl.aspx. You can use URL paths like https://secured.sumnurv.com for redirection as well. Setting protection to all is the suggested value. This means that the cookie will be both encrypted (using the Triple DES data-encryption standard) and validated. The validation algorithm comes from the machineKey element located in Machine.config. This data validation ensures that the cookie data wasn't tampered with during transit (someone sniffing traffic and responding with modified cookie). The timeout attribute refers to the number of minutes before a cookie expires and the user must log in again. In the credentials section, we add two users and their passwords. This is where FormsAuthentication will look to authenticate the users. Authorization
Login.aspx Overview
Login.aspx Details
I have referenced the System.Web.Security namespace since we will be working with authentication. All methods of authentication reside in this namespace. FormsAuthentication is a class of the System.Web.Security namespace. Here we have a simple server-side form setup with one textbox and one password input for username and password. I have included a check box in case the user wants to have a permanent cookie set. The Submit button has an event "onclick" which runs a sub called ProcessLogin. Inside ProcessLogin we execute the Authenticate method of the FormsAuthentication class, passing in the given username and password. This method checks the credential's tags inside the Web.config for the username and password. If they match, then we execute the RedirectFromLoginPage with the username and persistent cookie state (if checked). This method then writes a cookie to the user's machine to track them and ensure they are authenticated. If the username and password do not match, then an error occurs and the user is notified.
Default.aspx Overview
This is the page the user is requesting or trying to access. Here we will display the currently authenticated user and the authentication type.
Default.aspx Code
<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<script language="vb" runat="server">
Sub SignOut(objSender As Object, objArgs As EventArgs)
'delete the users auth cookie and sign out
FormsAuthentication.SignOut()
'redirect the user to their referring page
Response.Redirect(Request.UrlReferrer.ToString())
End Sub
Sub Page_Load()
'verify authentication
If User.Identity.IsAuthenticated Then
'display Credential information
displayCredentials.InnerHtml = "Current User : <b>" & User.Identity.Name & "</b>" & _
"<br><br>Authentication Used : <b>" & User.Identity.AuthenticationType & "</b>"
Else
'Display Error Message
displayCredentials.InnerHtml = "Sorry, you have not been authenticated."
End If
End Sub
</script>
<html>
<head>
<title>Forms Authentication</title>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<span class="Header">Forms Based Authentication using standard method</span>
<br>
<br>
<div id="displayCredentials" runat="server" />
<br>
<br>
<form runat="server">
<asp:Button id="cmdSignOut" text="Sign Out" runat="server" onClick="SignOut" />
</form>
</body>
</html>
Again I have referenced the System.Web.Security namespace since we will need some of its methods and properties. This page contains a simple div element thatwill display the current credentials and authentication type used. There is also a signout input element that runs a sub that deletes the user's cookie. They are then redirected to the login page. In the Page_Load event, I check to see if the user has been authenticated using the User.Identity.IsAuthenticated property. This returns a Boolean value indicating whether or not the user has been authenticated. If the user is authenticated, we want to display the current user's name and the authentication method used. We can access the currently logged on user's name with the User.Identity.Name property. User.Identity.AuthenticationType returns the mode of authentication used. We also use a SignOut procedure that allows the user to sign out and deletes the cookie from the user's computer. This will even delete a persistent cookie.
Conclusion
I hope that this has given you the basic understanding of Forms Authentication and how it can be useful for you. If you have any questions or comments about the concepts or code in this article, please feel free to contact me.
Resources
Forms Authentication in ASP.NET -- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconhandlingformsauthenticationevents.asp Machine.config - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconstep1examiningconfigurationfiles.asp DES - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/secglos_9661.asp
All user authentication logic is performed here. If you wish to verify a user's credentials against the Web.config, XML or text file, or database, this is the place it would happen. This example shows how to authenticate to the Web.config Login.aspx Code
<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<script language="VB" runat="server">
Sub ProcessLogin(objSender As Object, objArgs As EventArgs)
If FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, chkPersistLogin.Checked)
Else
ErrorMessage.InnerHtml = "<b>Something went wrong...</b> please re-enter your credentials..."
End If
End Sub
</script>
<html>
<head>
<title>Standard Forms Authentication Login Form</title>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<form runat="server">
<table width="400" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="80">Username : </td>
<td width="10"> </td>
<td><asp:TextBox Id="txtUser" width="150" runat="server"/></td>
</tr>
<tr>
<td>Password : </td>
<td width="10"> </td>
<td><asp:TextBox Id="txtPassword" width="150" TextMode="Password" runat="server"/></td>
</tr>
<tr>
<tr>
<td></td>
<td width="10"> </td>
<td><asp:CheckBox id="chkPersistLogin" runat="server" />Remember my credentials<br>
</td>
</tr>
<tr>
<td> </td>
<td width="10"> </td>
<td><asp:Button Id="cmdLogin" OnClick="ProcessLogin" Text="Login" runat="server" /></td>
</tr>
</table>
<br>
<br>
<div id="ErrorMessage" runat="server" />
</form>
</body>
</html>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name="appNameAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30">
<credentials passwordFormat="Clear">
<user name="jeff" password="test" />
<user name="mike" password="test" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Forms Authentication Background | |||||||||||||||||||||||||||
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
