RSS Feed (xml)Forms authentication is a flexible security model that allows you to prevent unauthenticated users from accessing certain pages. You write the code that performs the authentication, and ASP.NET issues a cookie to authenticated users. Users without the cookie are redirected to a login page when they try to access a secured page.
To implement forms authentication, you must take the following steps:
-
Configure forms authentication using the <authentication> tag in the application's Web.config file.
-
Restrict anonymous users from a specific page or directory using Web.config settings.
-
Create the logon page, and add your authentication logic, which leverages the FormsAuthentication class from the System.Web.Security namespace.
The first step is to configure the Web.config in the root application directory to enable forms authentication, as shown in the following code. You also need to specify your custom login page (where unauthenticated users will be redirected) and a time-out after which the cookie will be removed. The authentication cookie is automatically renewed with each Web request.
<authentication mode="Forms"> <forms loginUrl="login.aspx" timeout="30" /> </authentication>
Next you need to add an authorization rule denying anonymous users. The easiest way to secure pages is to create a subdirectory with its own Web.config file. The Web.config file should refuse access to anonymous users, as shown here:
<authorization> <deny users="?" /> </authorization>
Now ASP.NET will automatically forward unauthenticated requests for pages in this subdirectory to the custom logon page.
Another option is to specifically deny access to specific pages in the current directory by using the <location> tag:
<location path="SecurePage.aspx"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>
You can also deny specific users by entering a comma-separated list of user names instead of the wildcard (?) character, which simply means "all anonymous users."
You need to create the logon page. Your logon page can authenticate the user using a hard-coded password (suitable for simple tests), a server-side database, or any other type of custom authentication logic. Once the user has been successfully authenticated, call the static FormsAuthentication.RedirectFromLoginPage method with the username. This method simultaneously sets the forms authentication cookie and redirects the user to the originally requested page.
Here's a rudimentary logon page that simply checks for a specific password when the user clicks a logon button:
using System;
using System.Web;
using System.Web.UI.WebControls;
using System.Web.Security;
public class LoginPage : System.Web.UI.Page {
protected System.Web.UI.WebControls.Label lblStatus;
protected System.Web.UI.WebControls.Button cmdLogin;
protected System.Web.UI.WebControls.TextBox txtPassword;
protected System.Web.UI.WebControls.TextBox txtName;
// (Designer code omitted.)
private void cmdLogin_Click(object sender, System.EventArgs e){
if (txtPassword.Text.ToLower() == "secret") {
FormsAuthentication.RedirectFromLoginPage(txtName.Text, false);
}else {
lblStatus.Text = "Try again.";
}
}
}
To test this page with the sample code that accompanies the book, request SecurePage.aspx, which is placed in a secured directory. You'll be redirected to login.aspx, and provided you submit the correct password, you'll be returned to SecurePage.aspx.
No comments:
Post a Comment