Listing 16-13: Providing a login for the end user using the Login control Login Page In the situation established here, if the unauthenticated user hits a different page in the
Trang 1Listing 16-13: Providing a login for the end user using the Login control
<%@ Page Language="VB" %>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Login Page</title>
</head>
<body>
<form id="form1" runat="server">
<asp:Login ID="Login1" Runat="server">
</asp:Login>
</form>
</body>
</html>
In the situation established here, if the unauthenticated user hits a different page in the application, he
is redirected to theLogin.aspxpage You can see how ASP.NET tracks the location in the URL from the address bar in the browser:
http://localhost:18436/Membership/Login.aspx?ReturnUrl=%2fMembership%2fDefault.aspx
The login page, using the Login control, is shown in Figure 16-7
Figure 16-7
From this figure, you can see that the Login control asks the user for a username and password A check box allows a cookie to be stored on the client machine This cookie enables the end user to bypass future logins You can remove the check box and related text created to remember the user by setting the Login control’sDisplayRememberMeproperty toFalse
In addition to theDisplayRememberMeproperty, you can work with this aspect of the Login control by
using theRememberMeTextand theRememberMeSetproperties TheRememberMeTextproperty is pretty
Trang 2self-explanatory because its value simply defines the text set next to the check box TheRememberMeSet
property, however, is fairly interesting TheRememberMeSetproperty takes aBooleanvalue (by default,
it is set toFalse) that specifies whether to set a persistent cookie on the client’s machine after a user has
logged in using the Login control If set toTruewhen theDisplayRememberMeproperty is also set to
True, the check box is simply checked by default when the Login control is generated in the browser
If theDisplayRememberMeproperty is set toFalse(meaning the end user does not see the check box or
cannot select the option of persisting the login cookie) and theRememberMeSetis set toTrue, a cookie is
set on the user’s machine automatically without the user’s knowledge or choice in the matter You should
think carefully about taking this approach because end users sometimes use public computers, and this
method would mean you are setting authorization cookies on public machines
This cookie remains on the client’s machine until the user logs out of the application (if this option is
provided) With the persisted cookie, and assuming the end user has not logged out of the application, the
user never needs to log in again when he returns to the application because his credentials are provided
by the contents found in the cookie After the end user has logged in to the application, he is returned to
the page he originally intended to access
You can also modify the look-and-feel of the Login control just as you can for the other controls One way
to do this is by clicking the Auto Format link in the control’s smart tag There you find a list of options
for modifying the look-and-feel of the control (see Figure 16-8)
Figure 16-8
Select the Colorful option, for example, and the code is modified Listing 16-14 shows the code generated
for this selection
Listing 16-14: A formatted Login control
<asp:Login ID="Login1" Runat="server" BackColor="#FFFBD6"
BorderColor="#FFDFAD" BorderPadding="4" BorderStyle="Solid"
BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em"
ForeColor="#333333" TextLayout="TextOnTop">
Trang 3<TextBoxStyle Font-Size="0.8em" />
<LoginButtonStyle BackColor="White" BorderColor="#CC9966"
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
Font-Size="0.8em" ForeColor="#990000" />
<InstructionTextStyle Font-Italic="True" ForeColor="Black" />
<TitleTextStyle BackColor="#990000" Font-Bold="True" Font-Size="0.9em"
ForeColor="White" />
</asp:Login>
From this listing, you can see that there are a number of subelements that are used to modify particular items displayed by the control The available styling elements for the Login control include the following:
❑ <CheckboxStyle>
❑ <FailureTextStyle>
❑ <HyperLinkStyle>
❑ <InstructionTextStyle>
❑ <LabelStyle>
❑ <LoginButtonStyle>
❑ <TextBoxStyle>
❑ <TitleTextStyle>
❑ <ValidatorTextStyle>
The Login control has numerous properties that allow you to alter how the control appears and behaves
An interesting change you can make is to add some links at the bottom of the control to provide access
to additional resources With these links, you can give users the capability to get help or register for the application so that they can be provided with any login credentials
You can provide links to do the following:
❑ Redirect users to a help page using theHelpPageText,HelpPageUrl, andHelpPageIconUrl
properties
❑ Redirect users to a registration page using theCreateUserText,CreateUserUrl, andCreate
UserIconUrl properties
❑ Redirect users to a page that allows them to recover their forgotten passwords using the
PasswordRecoveryText,PasswordRecoveryUrl, andPasswordRecoveryIconUrlproperties
When used, the Login control looks like what is shown in Figure 16-9
Logging In Users Programmatically
Besides using the pre-built mechanics of the Login control, you can also perform this task programmati-cally using the Membership class To validate credentials that you receive, you use theValidateUser()
method of this class TheValidateUser()method takes a single signature:
Membership.ValidateUser(username As String, password As String)
This method is illustrated in Listing 16-15
Trang 4Figure 16-9
Listing 16-15: Validating a user’s credentials programmatically
VB
If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) Then
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, False)
Else
Label1.Text = "You are not registered with the site."
End If
C#
if (Membership.ValidateUser(TextBox1.Text, TextBox2.Text) {
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text.ToString(), false);
}
else {
Label1.Text = "You are not registered with the site.";
}
TheValidateUser()method returns aBooleanvalue ofTrueif the user credentials pass the test and
Falseif they do not From the code snippet in Listing 16-15, you can see that end users whose credentials
are verified as correct are redirected from the login page using theRedirectFromLoginPage()method
This method takes the username and aBooleanvalue that specifies whether the credentials are persisted
through a cookie setting
Locking Out Users Who Provide Bad Passwords
When providing a user login form in any application you build, always guard against repeated bogus
password attempts If you have a malicious end user who knows a username, he may try to access the
application by repeatedly trying different passwords You want to guard against this kind of activity
You don’t want to allow this person to try hundreds of possible passwords with this username
Trang 5ASP.NET has built-in protection against this type of activity If you look in the aspnet_Membership table, you see two columns focused on protecting against this These columns are
FailedPasswordAttempt-CountandFailedPasswordAttemptWindowStart
By default, a username can be used with an incorrect password in a login attempt only five times within
a 10-minute window On the fifth failed attempt, the account is locked down This is done in ASP.NET
by setting theIsLockedOutcolumn toTrue
You can actually control the number of password attempts that are allowed and the length of the
attempt window for your application These two items are defined in the SqlMembershipProvider
declaration in themachine.configfile You can change the values either in the server-wide configuration files or in your application’sweb.configfile Changing these values in yourweb.configfile is presented
in Listing 16-16
Listing 16-16: Changing the values for password attempts in the provider declaration
<configuration>
<system.web>
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<clear />
<add connectionStringName="LocalSqlServer"
applicationName="/"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="15"
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
</configuration>
To determine the number of password attempts that are allowed, usemaxInvalidPasswordAttempts
This example changes the value to3, meaning that users are allowed to enter an incorrect password three times before being locked out (within the time window defined) The default value of the maxInvalid-PasswordAttemptsattribute is5 You can set the time allowed for bad password attempts to15minutes using thepasswordAttemptWindowattribute The default value of this attribute is10, so an extra five
minutes is added
Now that these items are in place, the next step is to test it Listing 16-17 provides you with an example
of the test It assumes you have an application established with a user already in place
Listing 16-17: A sample page to test password attempts
VB
<%@ Page Language="VB" %>
<script runat="server">
Protected Sub Button1_Click(ByVal sender As Object, _
ByVal e As System.EventArgs)
Continued
Trang 6If CheckBox1.Checked = True Then Dim user As MembershipUser = Membership.GetUser(TextBox1.Text) user.UnlockUser()
End If
If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) Then Label1.Text = "You are logged on!"
Else Dim user As MembershipUser = Membership.GetUser(TextBox1.Text) Label1.Text = "Locked out value: " & user.IsLockedOut.ToString() End If
End Sub
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Login Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<h1>Login User</h1>
<p>
<asp:CheckBox ID="CheckBox1" runat="server" Text="Unlock User" />
</p>
<p>
Username<br />
<asp:TextBox ID="TextBox1" Runat="server"></asp:TextBox>
</p>
<p>Password<br />
<asp:TextBox ID="TextBox2" Runat="server"
TextMode="Password"></asp:TextBox>
</p>
<p>
<asp:Button ID="Button1" Runat="server" Text="Login"
OnClick="Button1_Click" />
</p>
<p>
<asp:Label ID="Label1" Runat="server"></asp:Label>
</p>
</div>
</form>
</body>
</html>
C#
<%@ Page Language="C#" %>
<script runat="server">
protected void Button1_Click(object sender, EventArgs e)
{
if (CheckBox1.Checked == true)
Continued
Trang 7MembershipUser user = Membership.GetUser(TextBox1.Text);
user.UnlockUser();
}
if (Membership.ValidateUser(TextBox1.Text, TextBox2.Text))
{
Label1.Text = "You are logged on!";
}
else
{
MembershipUser user = Membership.GetUser(TextBox1.Text);
Label1.Text = "Locked out value: " + user.IsLockedOut.ToString();
}
}
</script>
This page contains two text boxes: one for the username and another for the password Above these,
however, is a check box that can be used to unlock a user after you have locked down the account because
of bad password attempts
If you run this page and enter three consecutive bad passwords for your user, you get the results
pre-sented in Figure 16-10
Figure 16-10
TheIsLockedOutproperty is read through an instantiation of theMembershipUserobject This object
allows you programmatic access to the user data points contained in the aspnet_Membership table
In this case, theIsLockedOutproperty is retrieved and displayed to the screen TheMembershipUser
Trang 8object also exposes a lot of available methods — one of which is theUnlockUser()method This method
is invoked if the check box is checked in the button-click event
Working with Authenticated Users
After users are authenticated, ASP.NET 3.5 provides a number of different server controls and methods
that you can use to work with the user details Included in this collection of tools are the LoginStatus and
the LoginName controls
The LoginStatus Server Control
The LoginStatus server control enables users to click a link to log in or log out of a site For a good
example of this control, remove the<deny>element from theweb.configfile so that the pages of your
site are accessible to unauthenticated users Then code yourDefault.aspxpage so that it is similar to the
code shown in Listing 16-18
Listing 16-18: Login and logout features of the LoginStatus control
<%@ Page Language="VB" %>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Login or Logout</title>
</head>
<body>
<form id="form1" runat="server">
<asp:LoginStatus ID="LoginStatus1" Runat="server" />
</form>
</body>
</html>
Running this gives you a simple page that contains only a hyperlink titledLogin, as shown in
Figure 16-11
Clicking theLoginhyperlink forwards you to theLogin.aspxpage where you provide your credentials
After the credentials are provided, you are redirected to theDefault.aspxpage — although now the
page includes a hyperlink titledLogout(see Figure 16-12) The LinkStatus control displays one link
when the user is unauthenticated and another link when the user is authenticated Clicking theLogout
hyperlink logs out the user and redraws theDefault.aspxpage — but with theLoginhyperlink in place
The LoginName Server Control
The LoginName server control enables you to display the username of the authenticated user This is a
common practice today For an example of this, change theDefault.aspxpage so that it now includes
the authenticated user’s login name when that user is logged in, as illustrated in Listing 16-19
Listing 16-19: Displaying the username of the authenticated user
<%@ Page Language="VB" %>
<html xmlns="http://www.w3.org/1999/xhtml">
Trang 9<head runat="server">
<title>Login or Logout</title>
</head>
<body>
<form id="form1" runat="server">
<asp:LoginStatus ID="LoginStatus1" Runat="server" />
<p><asp:LoginName ID="LoginName1" Runat="server"
Font-Bold="True" Font-Size="XX-Large" /></p>
</form>
</body>
</html>
Figure 16-11
Figure 16-12
When the user logs in to the application and is returned to theDefault.aspxpage, he sees his username displayed, as well as the hyperlink generated by the LoginStatus control (see Figure 16-13)
Trang 10Figure 16-13
In addition to just showing the username of the logged in user, you can also add text by using the
LoginName control’sFormatStringproperty For instance, to provide a welcome message along with
the username, you construct the LoginName control as follows:
<asp:LoginName ID="LoginName1" Runat="Server"
FormatString="Welcome to our Website {0}!" />
You can also simply use the following construction in one of the page events (This is shown in VB; if you
are using C#, add a semicolon at the end of the line.)
LoginName1.FormatString = "Welcome to the site {0}!"
When the page is generated, ASP.NET replaces the{0}part of the string with the username of the
logged-in user This provides you with a result similar to the following:
Welcome to the site evjen!
If you do not want to show the username when using the LoginName control, simply omit the{0}aspect
of the string The control then places theFormatStringproperty’s value on the page
Showing the Number of Users Online
One cool feature of the membership service is that you can display how many users are online at a given
moment This is an especially popular option for a portal or a forum that wishes to impress visitors to the
site with its popularity
To show the number of users online, you use theGetNumberOfUsersOnlinemethod provided by the
Membershipclass You can add to theDefault.aspxpage shown in Figure 16-10 with the code illustrated
in Listing 16-20
Listing 16-20: Displaying the number of users online
VB
<%@ Page Language="VB" %>
<script runat="server">