戰地連結︰ Home My Flickr NBA.com About

2009年9月9日星期三

Introduction to ASP.NET Forms Authentication

In ASP.NET, forms authentication means that users authenticate themselves using a Web form. This feature is provided by the HTTP module FormsAuthenticationModule. Setting up forms authentication in ASP.NET is quite simple and is presented in a post at WindowsDevCenter.com.

Reference

  1. ASP.NET Forms Authentication - Part 1
  2. Explained: Forms Authentication in ASP.NET 2.0 (MSDN)
  3. FormsAuthentication Class (MSDN)

Steps

Enable anonymous access in IIS.

Anonymous access is enabled by default. If not, enable it manually for the web application.

Modify web.config file to allow Forms Authentication

To allow Forms Authentication, first we have to add the "authentication" element under "system.web" in web.config.

  1. In the "authentication" element, set the "mode" attribute to “Forms” to specify Forms Authentication.
  2. Add a "forms" element under "authentication" element to specify configuration settings for Forms Authentication
  3. Add a "authorization" element under "authentication" element to deny all anonymous users and redirect them to login page.

Code Snippet (web.config):

<configuration>

  <system.web>

    <authentication mode="Forms">

      <forms name="DEMO"

            loginUrl="login.aspx"

            protection="All"

            timeout="30"

            path="/" />

    </authentication>

    <authorization>

      <deny users="?" />

    </authorization>

  </system.web>

</configuration>

Create the login page

The login page is where denied users will be redirected to. It is referenced by "loginUrl" attribute in "forms" element. As shown by the above code snippet, our login page will be “login.aspx”.

Code Snippet (login.aspx.cs)

protected void Login_Click(Object sender, EventArgs E)

{

    if ((UserName.Value == "username") &&

        (UserPass.Value == "password"))

    {

        FormsAuthentication.RedirectFromLoginPage(UserName.Value, PersistCookie.Checked);

    }

    else

    {

        lblResults.Text = "Invalid Credentials: Please try again";

    }

}

The above code snippet is the onClick event of the login button. When it is fired, it will:

  1. Validate the user credentials entered. In this case the validation logic is completely provided by us and only allow one user to login.
  2. If the user is valid, FormsAuthentication.RedirectFromLoginPage() is called to authenticate the user and redirect back to the page he/she wants to visit.
  3. Else a warning message is shown.

Configure user credentials in web.config

Usually we will store the user credentials in a Database. However for easy implementation (or for testing purpose) we can also set user credentials in web.config file.

By adding "credentials" element under "forms" element, we can add user credentials in username/password pair format.

<forms>

    <credentials passwordFormat="Clear">

      <user name="user1" password="password1"/>

      <user name="user2" password="password2"/>

      <user name="user3" password="password3"/>

    </credentials>

</forms>

Then we can use FormsAuthentication.Authenticate() method to validate user credentials against those stored in web.config.

上午11:08
標籤:

沒有留言:

發佈留言

訂閱: 發佈留言 (Atom)