ASP.NET 2.0: A Developeramp;#039;s Notebook [Electronic resources] نسخه متنی

7.2. Authenticate Users with Forms Authentication

Note: Forms authentication, the preferred authentication mode for
web applications, works just fine with the Profile
service.

The lab Section 7.1 shows how you
can use Windows authentication for your ASP.NET web
application. While this is useful for Intranet applications, a better
way to authenticate external users is to use forms authentication. In
this section, you will use the Profile object together with forms
authentication.

Forms Versus Windows Authentication

In forms authentication, unauthenticated
requests are redirected to a Web Form using HTTP client-side
redirection. The user provides a username and password and then
submits the form. If the application authenticates the request, the
system issues a cookie containing the credentials or a key for
reacquiring the identity. Subsequent requests are issued with the
cookie in the request headers. They are then authenticated and
authorized by an ASP.NET event handler using whatever validation
method the application developer specifies.

In Windows authentication, ASP.NET works in conjunction with
Microsoft Internet Information Services (IIS) authentication.
Authentication is performed by IIS in one of three ways: basic,
digest, or Integrated Windows Authentication. When IIS authentication
is complete, ASP.NET uses the authenticated identity to authorize
access.

It is not feasible for you to create separate Windows accounts for
users accessing your application through the Internet. So, forms
authentication should be used for Internet applications.

7.2.1. How do I do that?

In this lab, you will see how you can authenticate your users via
forms authentication. You will add users to a web site using the
ASP.NET Web Site Administration Tool. You will then use the Profile
object to save the user's preferences based on the
username provided at login.

Using the same project created in the last section
(C:\ASPNET20\chap07-Profile), add a new folder
to your project by right-clicking the project name in Solution
Explorer, selecting New
Folder Regular Folder, and
naming the new folder Members.

Move the Default.aspx page into the
Members folder.

Add a new Web Configuration File (Web.config) to
the Members folder.

Finally, add a new Web Form to your project and name it
Login.aspx (see Figure 7-7).
Populate the form with the Login control.

Figure 7-8. The login page with the Login control

Your project should now look like the one shown in the Solution
Explorer in Figure 7-8.

Figure 7-9. The project with two Web.config files

In the application Web.config, marked (1) in
Figure 7-8, change the authentication mode from
Windows to Forms:

<authentication mode="Forms"/>

Default Values in machine.config

In ASP.NET 1.x, you need to explicitly
specify the name of the login page when
you use forms authentication. Your code looks something like this:

<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="login.aspx"
protection="Validation"
timeout="999999" />
</authentication>

And so, if an anonymous user tries to load a page that is protected,
he will be redirected to the Login.aspx page for
authentication.

In ASP.NET 2.0, there is no need to perform this step. Rather, the
above settings (plus many others) are
"burned" into ASP.NET as defaults.
Each application now includes three different
machine.config files, all located in
C:\WINDOWS\Microsoft.NET\Framework\<version>\CONFIG:

machine.config

machine.config.default

machine.config.comments

The machine.config.default file contains all the
default system-wide configuration settings. To see the default
settings defined in machine.config.default,
check the machine.config.comments file for
details. For example, the default settings for forms authentication
found in machine.config.comments are:

<forms
name=".ASPXAUTH"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false" >

If you want to override the default settings, you should modify
machine.config (for machine-wide configuration)
or Web.config (for application-wide
configuration). The rationale for splitting the original
machine.config file into three different files
is to reduce the size of machine.config and
hence improve the performance.

In the Members folder
Web.config, marked (2) in Figure 7-8, add the <authorization> element so that
all anonymous users are denied access to the
Members folder. Also, remove the
<authentication> element:

<system.web>
<authorization>
<deny users="?" />
</authorization>
...
<!--
<authentication mode="Windows"/>
-->

Using the ASP.NET Web Site Administration Tool
(Website ASP.NET
Configuration, and then click on the Security tab), add a new user to
your application (see Figure 7-9).

Figure 7-10. Adding a new user to my application

Tip: See Chapter 5 for more information on how to
add a new user to your web application.

To test the application, press F5. Load the
Default.aspx page located in the
Members folder using a web browser. Since all
unauthenticated users are denied access, you will be redirected to
the Login.aspx page.

Log in using the username that you added in Step 8, and you will see
the Default.aspx page. As usual, enter your
first and last names and click on the Save button.

Examine the aspnet_Profile and aspnet_Users tables again. This time,
you will see a second user in the table. In my case, not
surprisingly, the name is
"WeiMengLee," which is the username
I used to log in. Contrast this to the Windows username
("WINXP2\Wei-Meng Lee") used in the
previous lab, which used Windows authentication.

7.2.2. What about...

...sites that store the Default.aspx file
outside of the Members folder, thereby allowing users to access the
site without logging in?

Figure 7-10 shows the location of
Default.aspx at such a site, namely the one
we're working with in this chapter.

Figure 7-11. Moving Default.aspx out of the Members folder

If the Default.aspx file is accessed directly
when the user has not yet been authenticated, trying to set the
Profile properties will result in a runtime error. This is because
ASP.NET requires a key to uniquely identify the user. Using the
Profile object for a user that has not yet been authenticated is
known as anonymous profiling. The next lab,
Section 7.3, discusses this in
more detail.

Retrieving Other Users' Profiles

Besides retrieving your own
profile information, you can also
retrieve other users' profiles by using the
GetProfile( ) method.

The following example first retrieves all the members known to the
application, and then uses the UserName property and the GetProfile
method to retrieve the user's profile.

Dim member As MembershipUser
Dim members As MembershipUserCollection = _
Membership.GetAllUsers
For Each member In members
Dim userProfile As ASP.HttpProfile
userProfile = _
Profile.GetProfile(member.UserName.ToString)
Response.Write(member.UserName & " - ")
Response.Write(userProfile.FirstName & ", " & _
userProfile.LastName & "<br/>")
Next

7.2.3. Where can I learn more?

To learn more about how to secure your ASP.NET web applications,
check out the following article, which provides a checklist for
securing your ASP.NET application:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod98.asp.