Must read: http://www.codeproject.com/Articles/689801/Understanding-and-Using-Simple-Membership-Provider
http://www.codeproject.com/Articles/408306/Understanding-and-Implementing-ASP-NET-Custom-Form
http://www.codeproject.com/Articles/578374/AplusBeginner-27splusTutorialplusonplusCustomplusF
--------------------------
I'm exploring simplest way to employ web security with legacy ASP.NET components.
Basic and most often type of web site authentication is forms authentication.
Forms
It is very straightforward and simple:
1. Add in web.config:
<authentication mode="Forms">
<forms defaultUrl="default.aspx" loginUrl="login.aspx" name=".ASPXAUTH">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
2. Create your own Login.aspx and use:
System.Web.Security.FormsAuthentication
;for redirecting from and to login.
Whole idea is that after you issue redirect command cookie is created and persisted.
Don't use param strCookiePath in RedirectFromLoginPage. It seems that it prevents SignOut() to destroy cookie!
There is also SignOut which destroys cookie and you'r back to square one.
Authenticated user are obtained from:
Context.User.Identity.Name
Not sure is this required:
FormsAuthentication.SetAuthCookie(userName, persistent);
Membership
There is tone of stuff about ASP.NET membership component.But what is the simplest scenario to use it?
I want to integrate Forms & Membership in most simplest scenario.
So here it is.
1. Open "Developer Command Prompt for Visual Studio" and execute "aspnet_regsql.exe"
Select your database and you'll end up with bunch of aspnet_xxx tables & stored procs used by membership.
2. Configure custom Membership provider in your web.config and make sure it points to correct connection string. Example:
<configuration>
<connectionStrings>
<add name="AdventureSQLConnection" connectionString="Data Source=DB_SERVER;Initial Catalog=AdventureWorksLT2008;Persist Security Info=True;User ID=XXXX;Password=XXXXXXX;"/>
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms defaultUrl="default.aspx" loginUrl="login.aspx" name=".ASPXAUTH">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="AdventureSQLConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
</system.web>
</configuration>
Two remarks, first be sure to use <clear/> so default aspnetSQLprovider gets destroyed. This one is registered in MACHINE.CONFIG. And second be sure to use correct connection string.
3. Use infamous ASP.NET website configuration to test whether you did above work correctly and optionally set initial set of users, roles whatever.
4. In your login.aspx use combination of Membership methods and above mentioned FormsAuthentication to query and manage your users, roles, whatever. For example, here is the simplest one-liner of validating user:
if (Membership.ValidateUser("sinisa", "demo1234x!"))
FormsAuthentication.RedirectFromLoginPage("sinisa", true);
http://msdn.microsoft.com/en-us/library/xdt4thhy(v=vs.100).aspx
No comments:
Post a Comment