The first step in protecting our site is to develop a web.config file that has both an authentication and an authorization filter. If we use Forms authentication, all users are sent to a login page in their first visit. Once they have been authenticated, they can return to the site without having to go through a login process.
With Forms authentication, no matter what page the user requests, he is automatically sent to a login page with the default name login.aspx. Once he fills out the login information, he is allowed to view the page requested initially. The following web.config file shows the required tags:
<configuration>
<system.web>
<authentication mode ="Forms" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
As noted, the authentication mode set to Forms automatically directs the browser to open a file named login.aspx, but if we want to change that to a specific file with a name we prefer, we can specify which one we want by using the tags:
<authentication mode="Forms">
<forms loginUrl="mySpecialFile.aspx" />
</authentication>
Most importantly, the site uses the FormsAuthentication class from System.Web.Security namespace. One method is
FormsAuthentication.RedirectFromLoginPage()
Which takes the original requested URL and sends the requested page if the login is successful. It uses the following format:
FormsAuthentication.RedirectFromLoginPage(string, Boolean);
The important feature of this method is that ASP.NET automatically adds the return URL when the browser is redirected to the login page. The string parameter is a username and the Boolean is whether or not the login will store a persistent cookie. The false Boolean indicates that it will not store a cookie.
This whole state is set up when the web.config file indicates that anonymous users will not be permitted and the authentication mode is set to Forms.
Example: -
Login.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Login.aspx.cs" Inherits="Login" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<style type="text/css">
body
{
font-family:Verdana;
font-size:11pt;
color:Navy;
}
h1
{
font-size:18pt;
font-weight:bold;
}
</style>
<title>Login</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<h1>Login Page</h1>
<asp:TextBox ID="uname" runat="server">Name</asp:TextBox><p></p>
<asp:TextBox ID="pw" runat="server" TextMode="Password"> Password</asp:TextBox><p>
</p>
<asp:Button ID="Button1" runat="server" Text="Login" OnClick="DoLogin" /><p></p>
<asp:Label ID="BadLog" runat="server" ForeColor="#FF3300"></asp:Label>
</div>
</form>
</body>
</html>
Login.aspx.cs
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
public partial class Login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void DoLogin(object sender, EventArgs e)
{
if (uname.Text == "kishore" && pw.Text == "shri81")
{
FormsAuthentication.RedirectFromLoginPage(uname.Text, false);
}
BadLog.Text = "Check your username and password. Not logged in.";
}
}
Friday, February 5, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment