In this scenario, even if users try to surf to any page in the virtual directory, ASP.NET will stop them dead in their tracks and force them to pass the login page shown in Figure 10-3..
Trang 1The CD that comes with this book includes this login page To see an example of the most basic authentication you can use in your application, take a look at the fi les Login.aspx and Web.Confi gFormsAuthentication The web.confi g fi le includes the Authentication and Authorization elements to support Forms Authentication for the site Listing 10-1 shows the
web.confi g settings necessary to force authentication
LISTING 10-1 A Basic Web.Confi g File Requiring Authentication
The login page that goes with it is shown in Listing 10-2
LISTING 10-2 A Basic ASP.NET Login Page
Trang 2Remember password and weaken security?:
<asp:CheckBox id=m_bPersistCookie runat="server"/>
This is a simple login page that keeps track of three users—Gary, Jay, and Susan
In this scenario, even if users try to surf to any page in the virtual directory, ASP.NET will stop them dead in their tracks and force them to pass the login page shown in Figure 10-3
FIGURE 10-3 A simple login page for getting a user name and password from a client
Remember password and weaken security?:
<asp:CheckBox id=m_bPersistCookie runat="server"/>
Trang 3This simple login page authenticates the user (out of a group of three possible users) In a real Web site, the authentication algorithm would probably use a database lookup to see if the user identifying himself or herself is in the database and whether the password matches Later in this chapter, we’ll see the ASP.NET authentication services The login page then issues
an authentication cookie using the FormsAuthentication utility class
Figure 10-4 shows what the Web page looks like in the browser with tracing turned on Here you can see the value of the authentication cookie in the (request) cookies collection
FIGURE 10-4 Tracing turned on reveals the authentication cookie for a page using Forms Authentication
Run the Forms Authentication example
This example shows how to employ Forms Authentication on your site
1 To run the Forms Authentication example, create a virtual directory to hold the
site Add an HTML fi le to the directory that simply displays a banner text “Hello
World.” Name the fi le Default.htm You need to have a target fi le to surf to for Forms
Authentication to work Alternatively, you can use an already existing site and employ Forms Authentication there
2 Copy the Login.aspx page from the Chapter 10 examples on the CD with this book into
the virtual directory for which you want to apply Forms Authentication
Trang 43 Copy the Web.Confi gForceAuthentication fi le from the Chapter 10 examples on the
CD with this book into the virtual directory for which you want to apply Forms
Authentication Make sure to rename the confi guration fi le web.confi g after you copy it
4 Try to surf to a page in that virtual directory ASP.NET should force you to complete the
Login.aspx page before moving on
5 Type in a valid user name and password Subsequent access to that virtual directory
should work just fi ne because now there’s an Authentication ticket associated with the request and response
Although you may build your own authentication algorithms, ASP.NET includes a number
of new features that make authenticating users a straightforward and standard proposition We’ll look at those in a moment
Briefl y, ASP.NET allows two other types of authentication: Passport authentication and Windows authentication There’s not much talk about Passport anymore Passport authenti-cation has evolved into the Windows Live ID and requires a centralized authentication service provided by Microsoft If you’ve ever used Hotmail.com, you’ve used Windows Live ID The advantage of Windows Live ID authentication is that it centralizes login and personalization information at one source While this is not a free service, your users can use a single user ID
to log into many Web sites, providing convenience and easing your own development needs
as you don’t need to manage user authentication yourself
The other type of authentication supported by ASP.NET is Windows authentication If you specify Windows authentication, ASP.NET relies on IIS and Windows authentication to man-age users Any user making his or her way through IIS authentication (using basic, digest, or Integrated Windows Authentication as confi gured in IIS) will be authenticated for the Web site These other forms of authentication are available when confi guring IIS However, for most ASP.NET Web sites, you’ll be bypassing IIS authentication in favor of ASP.NET authenti-cation even if only for scalability reasons ASP.NET will use the authenticated identity to man-age authorization
ASP.NET Authentication Services
ASP.NET includes a great deal of support for authenticating users (outside of IIS’s support) Most of it comes from the FormsAuthentication class
The FormsAuthentication Class
Many of ASP.NET’s authentication services center around the FormsAuthentication class The
examples shown in Listings 10-1 and 10-2 show how the rudimentary authentication works
Trang 5by installing an authentication cookie in the response and redirecting the processing back
to the originally requested page This is the primary purpose of FormsAuthentication
.RedirectFromLoginPage There are some other interesting methods in the FormsAuthentication
class that allow for fi ner-grained control over the authentication process For example, you can authenticate users manually (without forcing a redirect) That’s useful for creating optional login pages that vary their content based on the authentication level of the client
FormsAuthentication includes a number of other services as well Table 10-1 shows some of
the useful members of the FormsAuthentication class
TABLE 10-1 Useful FormsAuthentication Class Members
FormsAuthentication Method Description
authentication
name
required
forms-authentication ticket suitable for use in an HTTP cookie
forms-authentication ticket
HashPasswordForStoringInConfi gFile Creates a hashed password suitable for storing in a
credential store
requested page
An Optional Login Page
The code accompanying this book also includes an example showing how to authenticate separately The page in Listing 10-3 uses the same authentication algorithm (three users—Gary, Jay, and Susan—with hard-coded passwords) However, the page authenticates users and then redirects them back to the same page (OptionalLogin.aspx)
FormsAuthentication Method Description
Trang 6<%@ Page language=C# trace="false"%>
Trang 7Remember password and weaken security?:
<asp:CheckBox id=m_bPersistCookie runat="server"/>
Notice that the page sets the authentication cookie manually by calling FormsAuthentication
.SetAuthCookie and then redirects the processing back to the page Each time the page
shows, it calls the ShowContent method, which checks the authentication property in the
page to decide whether or not to display content specialized for an authenticated user Because the page redirects manually after authenticating, the web.confi g fi le needs to look a bit different To make it work, the authentication node should remain, but the authorization node that denies anonymous users needs to be removed That way, any user can log in to the OptionLogin.aspx page (they won’t be denied) but they may proceed after they’re authen-ticated Here’s the new web.confi g fi le, shown in Listing 10-4 The fi le on the CD is named
Web.Confi gForOptionalLogin To make it apply to the application, copy the fi le and name it
Remember password and weaken security?:
<asp:CheckBox id=m_bPersistCookie runat="server"/>
Trang 8Figure 10-5 shows how the optional login page appears before the user has been
authenticated
FIGURE 10-5 The optional login page before an authenticated user logs in
Run the optional login page
This example shows how to run the optional login page
1 To run the optional login page, create a virtual directory to hold the site Alternatively,
you can use an already existing site and try the optional login page from there
2 Copy the OptionalLogin.aspx page from the Chapter 10 examples on the CD with this
book into the virtual directory
3 Copy the Web.Confi gOptionalLogin from the Chapter 10 examples on the CD with this
book into the virtual directory Be sure to rename the confi guration fi le web.confi g so
ASP.NET loads the appropriate confi guration settings
4 Try to surf to a page in that virtual directory ASP.NET should allow you to see the page,
but as an unauthenticated user
Trang 95 Type in a valid user name and password You should see the content tailored for
au-thenticated users Subsequent requests/responses to and from the site will include an authentication token, so you would always see the special authenticated content After the user has been authenticated, the optional login page shows the content tailored to the specifi c authenticated user Figure 10-6 shows the page after an authenticated user logs in
FIGURE 10-6 An authenticated user has logged in
Managing Users
So far, you can see that the fundamentals behind employing Forms Authentication are easy
to manage In the previous examples, the pages are inaccessible until you prove your identity The example above shows raw authentication with the users and passwords hard-coded into the ASPX fi le This is useful for illustration However, in a production application you’ll un-doubtedly want to assign identities to the authorized users visiting your site
ASP.NET and Visual Studio include facilities for both managing user identities and managing roles The following exercise shows how to set up a secure site in which users are allowed access only after they identify themselves correctly
Trang 10Managing user access
1 Create a new Web site named SecureSite
2 Add a label to the Default.aspx page with the text “Congratulations You made it in.”
That way, when you get to the default page after logging in, you’ll know which page it
is in the browser
3 Open the ASP.NET Web Site Administration Tool by selecting Web Site, ASP.NET
Confi guration from the main menu Go to the Provider tab Select the Select A Single Provider For All Site Management Data link You can click the Test link to
test the provider to make sure the connection is working
Tip As you recall from Chapter 9, IIS includes ASP.NET confi guration facilities as well If your site has a virtual directory, you can get to the facilities by opening IIS, selecting the virtual directory of interest, and navigating among the Features icons
4 Run the program aspnet_regsql.exe to create a a data store to hold membership
informa-tion You’ll fi nd aspnet_regsql.exe in C:\Windows\Microsoft.NET\Framework\v2.0.50727>
5 Go to the Security tab You’ll see the page shown in the following graphic Click the
Select Authentication Type link
Trang 116 Select From The Internet as the access method Then click the Done button This will
cause the site to use Forms Authentication
Trang 127 Select Enable Roles and then select Create Or Manage Roles Add some roles to the
site The example here includes three roles: Administrator, JoeUser, and PowerUser Add these roles now We’ll assign real users to them shortly
Trang 138 Now add some users and assign some roles From the main security page, select the
Create User link Add some users You may assign them to roles now if you wish
After you’ve added some users and assigned roles to them, web.confi g should look something like this:
Trang 149 At this point, you may authenticate users to your site However, you would probably
like to control what parts of your site they may access To do that, create some access rules Select the Create Access Rules (on the Security tab) link to manage authoriza-
tion Deny anonymous users, as shown in the following graphic:
Denying access to anonymous users causes the following changes in web.confi g Notice the authorization and the roleManager elements
Trang 1510 Now try running the site ASP.NET should deny you access to the site, as shown here:
ASP.NET is looking for a way to authenticate the user However, the site doesn’t have one yet The Forms Authentication setting is set to true and anonymous users are denied access, but
there’s no instruction to ASP.NET about what to do There’s no login redirect and no login page yet, so ASP.NET simply stops you in your tracks Let’s provide a login page using the ASP.NET login controls
ASP.NET Login Controls
Earlier in this chapter, we handcrafted a couple of different login pages During the heyday
of ASP.NET 1.1, that’s what you had to do to get Forms Authentication working Modern ASP.NET improves things by adding a number of login controls that perform the most com-mon login scenarios you might need for your site
Trang 16These controls include the Login, LoginView, PasswordRecovery, LoginStatus, LoginName, ChangePassword, and CreateUserWizard controls Here’s a summary of what each control does:
Login The Login control is the simplest login control and supports the most common
login scenario—signing in using a user name and password The control includes user name and password text boxes and a check box for users who want to compromise password security by saving their passwords on the machine The control exposes prop-erties through which you can change the text and appearance of the control You may also add links to manage registration or password recovery The Login control interacts
with the ASP.NET membership component for authentication by default If you want to manage authentication yourself, you may do so by handling the control’s Authenticate
event
LoginView The LoginView control is very similar to the optional login page
men-tioned earlier It’s useful for managing the content you display for authenticated versus nonauthenticated users The LoginView displays the login status via the display tem-
plates AnonymousTemplate and LoggedInTemplate The control renders a different
tem-plate depending on the status of the user The LoginView also lets you manage text and
links within each template
PasswordRecovery The PasswordRecovery control supports Web sites that send user
passwords to clients when they forget their passwords The control collects the user’s account name and then follows up with a security question (provided that functionality
is set up correctly) The control either e-mails the current password to the user or ates a new one
LoginStatus The LoginStatus control displays whether or not the current user is
logged on Nonlogged-in users are prompted to log in, whereas logged-in users are prompted to log out
LoginName The LoginName control displays the user’s login name
ChangePassword The ChangePassword control gives users a chance to change
their passwords An authenticated user may change his or her password by ing the original password and a new password (along with a confi rmation of the new password)
CreateUserWizard The CreateUserWizard control collects information from users so
it can set up an ASP.NET membership account for each user Out of the box, the control gathers a user name, a password, an e-mail address, a security question, and a security answer The CreateUserWizard will collect different information from users, depending
on the membership provider used by your application