ASP.NET 4 Unleased - p 123 pptx

See the earlier section in this chapter, “Sending a Create User Email Message.” By default, the PasswordRecovery control first resets your password before sending you the password.. Send

FIGURE 26.15 Retrieving a lost password with the PasswordRecovery control

<asp:PasswordRecovery

id=”PasswordRecovery1”

CssClass=”passwordRecovery”

TitleTextStyle-CssClass=”passwordRecovery_title”

InstructionTextStyle-CssClass=”passwordRecovery_instructions”

SubmitButtonStyle-CssClass=”passwordRecovery_button”

Runat=”server”>

<MailDefinition

From=”Admin@YourSite.com”

Subject=”Password Reminder” />

</asp:PasswordRecovery>

</div>

</form>

</body>

</html>

After you open the page in Listing 26.34 in your web browser, you are first asked to enter

your username (see Figure 26.15) Next, you are asked to enter the answer to the security

question that you entered when registering Finally, a password is emailed to your

regis-tered email account

NOTE

Before you use the PasswordRecovery control, you must specify your mail server

set-tings in your application’s web configuration file See the earlier section in this chapter,

“Sending a Create User Email Message.”

By default, the PasswordRecovery control first resets your password before sending you

the password In the next section, you learn how to send a user’s original password

Sending the Original Password

By default, the PasswordRecovery control does not send a user’s original password If you

don’t want the PasswordRecovery control to reset a user’s password before sending it, you

must change the configuration of the membership provider Three configuration settings

matter: passwordFormat, enablePasswordRetrieval, and enablePasswordReset

By default, the passwordFormat attribute has the value Hashed When passwords are

hashed, the PasswordRecovery control cannot send a user’s original password This

limita-tion makes sense because when passwords are hashed, the actual passwords are never

stored anywhere If you want to send a user his original password, you need to set the

passwordFormat attribute to either the value Clear or Encrypted

By default, the enablePasswordRetrieval attribute has the value False Therefore, if you

want to send a user his original password, you must enable this property in the web

configuration file

Finally, by default, the enablePasswordReset attribute has the value True Regardless of

the value of the passwordFormat or enablePasswordRetrieval attributes, you can always

reset a user’s password and email the new password to the user

The web configuration file in Listing 26.35 contains the necessary configuration settings

to enable a user’s original password to be sent

LISTING 26.35 Web.Config

<?xml version=”1.0” encoding=”utf-8”?>

<configuration>

<system.web>

<authentication mode=”Forms” />

<membership defaultProvider=”MyMembership”>

<providers>

<add

name=”MyMembership”

type=”System.Web.Security.SqlMembershipProvider”

connectionStringName=”LocalSqlServer”

passwordFormat=”Clear”

enablePasswordRetrieval=”true”

/>

</providers>

</membership>

</system.web>

</configuration>

The configuration file in Listing 26.35 causes passwords to be stored in plain text rather

than hashed Furthermore, password retrieval is enabled

Requiring a Security Question and Answer

When you use the CreateUserWizard control to register, you are required to select a security

question and answer The PasswordRecovery control displays a form that contains the

secu-rity question If you cannot enter the correct secusecu-rity answer, your password is not sent

If you do not want to require users to answer a security question before receiving their

passwords, you can modify the configuration of the membership provider The web

configuration file in Listing 26.36 assigns the value false to the

requiresQuestionAndAnswer attribute

LISTING 26.36 Web.Config

<?xml version=”1.0” encoding=”utf-8”?>

<configuration>

<system.web>

<authentication mode=”Forms” />

<membership defaultProvider=”MyMembership”>

<providers>

<add

name=”MyMembership”

type=”System.Web.Security.SqlMembershipProvider”

connectionStringName=”LocalSqlServer”

requiresQuestionAndAnswer=”false”

/>

</providers>

</membership>

</system.web>

</configuration>

Using Templates with the PasswordRecovery Control

If you need to completely customize the appearance of the PasswordRecovery control,

you can use templates The PasswordRecovery control supports the following three types

of templates:

UserNameTemplate

QuestionTemplate

SuccessTemplate

The page in Listing 26.37 illustrates how you can use all three of these templates

LISTING 26.37 PasswordRecoveryTemplate.aspx

<%@ Page Language=”C#” %>

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”

“http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml” >

<head id=”Head1” runat=”server”>

<style type=”text/css”>

html

{

font:12px Arial,Sans-Serif;

}

h1

{

font:bold 16px Arial,Sans-Serif;

color:DarkGray;

}

</style>

<title>PasswordRecovery Template</title>

</head>

<body>

<form id=”form1” runat=”server”>

<div>

<asp:PasswordRecovery

id=”PasswordRecovery1”

Runat=”server”>

<MailDefinition

From=”Admin@YourSite.com”

Subject=”Password Reminder”

BodyFileName=”PasswordRecovery.txt” />

<UserNameTemplate>

<h1>User Name</h1>

<asp:Label

id=”FailureText”

EnableViewState=”false”

ForeColor=”Red”

Runat=”server” />

<br />

<asp:Label

id=”lblUserName”

Text=”Enter your user name:”

AssociatedControlID=”UserName”

Runat=”server” />

<br />

<asp:TextBox

id=”UserName”

Runat=”server” />

<br />

<asp:Button

id=”btnSubmit”

Text=”Next”

CommandName=”Submit”

Runat=”server” />

</UserNameTemplate>

<QuestionTemplate>

<h1>Security Question</h1>

<asp:Label

id=”FailureText”

EnableViewState=”false”

ForeColor=”Red”

Runat=”server” />

<br />

<asp:Label

id=”Question”

Text=”Enter your user name:”

AssociatedControlID=”Answer”

Runat=”server” />

<br />

<asp:TextBox

id=”Answer”

Runat=”server” />

<br />

<asp:Button

id=”btnSubmit”

Text=”Next”

CommandName=”Submit”

Runat=”server” />

</QuestionTemplate>

<SuccessTemplate>

<h1>Success</h1>

An email has been sent to your registered

email account that contains your user name

and password

</SuccessTemplate>

</asp:PasswordRecovery>

</div>

</form>

</body>

</html>

The UserNameTemplate must contain a control with an ID of UserName You also can

include a control with an ID of FailureText when you want to display error messages This

template also must contain a Button control with a CommandName that has the value Submit

The QuestionTemplate must contain a control with an ID of Question and a control with

an ID of Answer Optionally, you can include a FailureText control when you want to

display error messages It also must have a Button control with a CommandName that has the

value Submit

The SuccessTemplate, on the other hand, does not require any special controls

The PasswordRecovery control in Listing 26.37 includes a MailDefinition property that

references a custom email message The message is contained in Listing 26.38

LISTING 26.38 PasswordRecovery.txt

Here’s your login information:

user name: <%UserName%>

password: <%Password%>

The email message in Listing 26.38 contains substitution expressions for both the

user-name and password

Using the LoginView Control

The LoginView control enables you to display different content to different users

depend-ing on their authentication status For example, the page in Listdepend-ing 26.39 displays

differ-ent contdiffer-ent for authdiffer-enticated users and anonymous users (see Figure 26.16)

FIGURE 26.16 Displaying content to authenticated users with the LoginView control

LISTING 26.39 ShowLoginView.aspx

<%@ Page Language=”C#” %>

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”

“http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml” >

<head id=”Head1” runat=”server”>

<title>Show LoginView</title>

</head>

<body>

<form id=”form1” runat=”server”>

<div>

<asp:LoginStatus

id=”LoginStatus”

Runat=”server” />

<hr />

<asp:LoginView

id=”LoginView1”

Runat=”server”>

<AnonymousTemplate>

This content is displayed to anonymous users

</AnonymousTemplate>

<LoggedInTemplate>

This content is displayed to authenticated users

</LoggedInTemplate>

</asp:LoginView>

</div>

</form>

</body>

</html>

The LoginView control in Listing 26.39 contains two templates: an AnonymousTemplate

and a LoggedInTemplate Only one of the two templates is displayed at a time

The page also includes a LoginStatus control You can use this control to log in and log

out quickly

NOTE

You can use the LoginView control with Windows authentication as well as Forms

authentication

Using Roles with the LoginView Control

You also can use the LoginView control to display different content to users who belong to

different roles The page in Listing 26.40 contains a LoginView that contains two

RoleGroup controls The first RoleGroup contains content that is displayed to members of

the Administrator role The second RoleGroup contains content that is displayed to

members of the Manager and Worker roles

LISTING 26.40 LoginViewRoles.aspx

<%@ Page Language=”C#” %>

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”

“http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

<script runat=”server”>

protected void Page_Load(object sender, EventArgs e)

{

MembershipCreateStatus status;

// Create Bill

Membership.CreateUser(“Bill”,”secret_”,”bill@somewhere.com”,

“dog”,”rover”,true,out status);

// Create Ted

Membership.CreateUser(“Ted”, “secret_”, “ted@somewhere.com”,

“dog”, “rover”, true,out status);

// Create Fred

Membership.CreateUser(“Fred”, “secret_”, “fred@somewhere.com”,

“dog”, “rover”, true, out, status);

// Create Administrator Role

if (!Roles.RoleExists(“Administrator”))

{

Roles.CreateRole(“Administrator”);

Roles.AddUserToRole(“Bill”, “Administrator”);

}

// Create Manager Role

if (!Roles.RoleExists(“Manager”))

{

Roles.CreateRole(“Manager”);

Roles.AddUserToRole(“Bill”, “Manager”);

Roles.AddUserToRole(“Ted”, “Manager”);

}

// Create Worker Role

if (!Roles.RoleExists(“Worker”))

{

Roles.CreateRole(“Worker”);

Roles.AddUserToRole(“Fred”, “Worker”);

}

}

</script>

<html xmlns=”http://www.w3.org/1999/xhtml” >

<head id=”Head1” runat=”server”>

<title>LoginView Roles</title>

</head>

<body>

<form id=”form1” runat=”server”>

<div>

<asp:LoginStatus

id=”LoginStatus”

Runat=”server” />

<hr />

<asp:LoginView

id=”LoginView1”

Runat=”server”>

<RoleGroups>

<asp:RoleGroup Roles=”Administrator”>

<ContentTemplate>

This content is displayed to Administrators

</ContentTemplate>

</asp:RoleGroup>

<asp:RoleGroup Roles=”Manager,Worker”>

<ContentTemplate>

This content is displayed to Managers

and Workers

</ContentTemplate>

</asp:RoleGroup>

</RoleGroups>

</asp:LoginView>

</div>

</form>

</body>

</html>

The Page_Load() handler in Listing 26.40 creates three users named Bill, Ted, and Fred

Bill is added to both the Administrator and Manager roles; Ted is added to the Manager

role; and Fred is added to the Worker role

The content of only one RoleGroup is displayed by the LoginView control at a time If a

user matches more than one RoleGroup, the content of the first RoleGroup matched is

displayed and the other RoleGroups are ignored

Before you can use the page in Listing 26.40, you must enable roles in the web

configura-tion file The file in Listing 26.41 contains the necessary roleManager element

LISTING 26.41 Web.Config

<?xml version=”1.0” encoding=”utf-8”?>

<configuration>

<system.web>

<authentication mode=”Forms” />

<roleManager enabled=”true” />

</system.web>

</configuration>