Home
About
Contact
Login
Home
Code and Articles
Videos
Books
Search
Demos
Portfolio
Home
>
Categories
>
Code from a Category
Asp.net C# / VB (187)
PHP (86)
MSSQL (56)
CSS (8)
Zoho CRM (47)
Zoho Invoice (1)
jQuery (16)
DotNetNuke (2)
VB.Net (66)
Zoho Creator (5)
Zoho Mail (2)
Other (7)
Zoho Support (1)
Salesforce CRM (3)
SugarCRM (1)
Forms Authentication in Asp .net
User Name:
codelecturer
Name:
Mike Chauhan
Contact Me:
www.datawebcoder.com/ContactUs.aspx
Home Page:
www.datawebcoder.com
6 years of total IT experience including programming, application development, System Maintenance . 3 years of Experienced and expertise in .Net Framework VB, Visual Basic.Net, ASP.Net 2.0, 3.5 and AD...
[More]
Viewed Times:
109
Add Date:
01/08/2012
Security is one of the most important component of any application. Security is even more important when you are making a web application which is exposed to million of users.
Introduction:
Asp.net provides classes and methods that ensure that the application is secure from outside attacks. In this article we will investigate the Forms authentication in Asp.net which provides a powerful way of securing applications. Setting the forums authentication
First you need to set up the forms authentication in the web.config file. If you see in the web.config file there will be a tag like this:
By default it is set to the Windows authentication mode in order to change this to forms authentication you will just need to change the windows to forms as I have shown below:
Okay so now you have set your application to use the features of the forms authentication instead of the windows authentication. Storing username and password in the Web.config file:
If you have very few users that needs to use the application than you can set the username and passwords in the web.config file.
You will see some new tags and attributes above lets explain all of them:
The tag forms has an attribute loginUrl which is the url of the page the users will be redirected if they try to access an authorized page. In this case we have given the url as Login.aspx which means that if some user is trying to access some page and he is not signed in he will be redirected to the Login.aspx page.
Later we have the credentials tag which has attributes username and password. The username and password is simply the username and password for a particular user. All the usernames and passwords that are present in the web.config files
tag will be authorized to user the pages.
You can have multiple user name and password stored in a single web.config file. As you can see in the code below I have stored 2 username and their passwords:
Okay so now you got the username and passwords stored in the web.config file and now you want to authenticate the user depending on the credentials present in the web.config file. Let's set one more thing up which is the authorization tags in the web.config file. The deny users = "?" means that all the other users whose name is not present in the web.config file must not be able to access the pages.
Lets make a simple login screen that lets the user enter his credentials:
Suppose you are too lazy to change your page name from WebForm1 to Login.aspx. Now if you run the page you will see an error that there is no Login.aspx page. You will be surprised that what is asp.net looking for Login.aspx page. The reason is that because you told the Asp.net that the login page will be named Login.aspx remember:
Now if you change the name of your page to Login.aspx it will work fine. You can also change the loginUrl = WebForm1.aspx to make it work but making a Login.aspx page sounds much better.
Now we need to implement the button click code:
We simply used the FormsAuthentication.Authenticate() method and supplied it with the username and password. These username and password will be checked against the web.config file. If the username and password are present inside the web.config file than the user will be authorized and will be taken to the originally requested Url. If the person is not authorized than a message will be printed that "You are not authorized to view the page".
Cookie Expiration:
You can also expire the cookies that you make in your application. Setting the time for the cookie expiration is not difficult at all. Lets see the following code and see what it does:
Lets first make a simple cookie that will hold the user's username and than set its expiration time in days:
As we can see in the code sample above that making and setting the expiration time for the cookie is not difficult at all. You can also use FormsAuthentication Ticket to assign the expiration time of the cookie.
This method is good if you dont want the user to be logged on all the times. Its also safe from the security point of view cause it will expire in 1 day.
Database Authentication:
If you have a larger system you will be better off using the Database to keep the UserNames and passwords. You can use a simple SQL Stored procedure which returns 1 or 0 for success and failure depending on the username and password supplied. A simple database validation method can be written as follows:
Signing out a user Securely:
You have seen the sign out button on the Internet on various websites. Our site www.codersource.net also have the feature to signout users when they are done browsing. Let's see how we can implement a simple signout method. The logic behing the sign out is to expire the user cookie.
As you can see the code above is pretty simple and straight forward. The FormsAuthentication class provides a signout method which can be used to signout users.
Later we assign null to the cookie and expired the cookies date by assigning it a date which has already passed. After signout the user I simply redirected the user to another page.
Client side Validation
Don't leave all the things for your business logic and then for the database to decide. Do all the validation before you send the data to the business layers and the database layers. For this you can always use RequiredFieldValidators to check that if the required fields are not left blank.
I hope you enjoyed the tutorial.
Happy Coding !
Reply above Post
Related Posts
Developing Face book Application with .NET Using FBJS AJAX with ASP.NET/C#, Displaying Dialog with Dynamic Content and Using FBJS POPUP Dialogs with ASP.NET/C#
Advantages of migrating from ASP to ASP.NET
VB.Net 2008 Handle Multiple Forms
Asp.net Post Zoho CRM Unsubscribe Form Dynamically in Asp.net Page
Passing Values Between Win Forms
Post a Comment
Name:
(Optional)
Email:
(Optional, you can get an email if somebody replys your comments)*
Email me if somebody respons my comment below:
Yes
No
Details**:
Enter Text
as Below:
(case insensitive, if hard to read, click the "get a new one" button)
* Your email address will not be shared with any third parties for any reason.
** Maximum 1000 charactors.