[ASP.NET Membership] Forms Authentications

Forms Authentication is the choice for any web sites that are targeted for general public. ASP.NET Membership provides classes to authenticate users and perform security related tasks based on the credentials users provide.  

1. Web.Config

You need to modify the “Web.Config” file to use the “Forms Authentication”.

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" />
    </authentication>
    <authorization>
      <deny users="?" />
      <allow users="*" />
    </authorization>
  </system.web>
</configuration>

2. Saving User Credentials in the Web.Config

You can save user ids and passwords directly in the Web.Config. This might be a good choice if there are only handful of users and you do not use Databases.

Within the “forms” element, you can add the “credentials” element. You can save the password as a plain text but it can be encrypted too. The passwordFormat attribute can be “Clear”, “MD5”, or “SHA1”. The default is “SHA1”.

<authentication mode="Forms">
  <forms name="401kApp" loginUrl="/login.aspx">
    <credentials passwordFormat = "SHA1">
      <user  name="UserName1" password="EncryptedPassword1"/>
      <user  name="UserName2" password="EncryptedPassword2"/>
    </credentials>
  </forms>
</authentication>

3. FormsAuthentication class

The “System.Web.Security.FormsAuthentication” privides static properties and methods that help the athentication process.

– Properties –

  • FormsCookieName: gets the name of the cookie used to store the forms-authentication ticket.
  • FormsCookiePath: gets the path for the forms-authentication cookie.
  • LoginUrl: gets the URL for the login page
  • DefaultUrl: gets the URL to be redirected if no redirect URL is specified.

– Methods –

  • Authenticate(): validates a user name and password against credentials stored in the configuration file for an application
  • SetAuthCookie(): creates an authentication ticket for the user
  • SignOut(): removes the forms-authentication ticket from the browser
  • GetRedirectUrl(): returns the redirect URL for the original request that caused the redirect to the login page
  • RedirectFromLoginPage(): redirects an authenticated user back to the originally requested URL or the default URL
  • RedirectToLoginPage(): redirects the browser to the login URL.

4. Authenticating Users

There are 2 ways to authenticate users when you use “FormsAuthentication

  • When the user credentials are stored in the “credentials” section of the application configuration file: Use the FormsAuthentication.Authenticate()” method
  • When the user credentials are stored in Membership store such as the SQL Server: Use the “Membership.ValidateUser()” method
// if (FormsAuthentication.Authenticate(userName, password))
if (Membership.ValidateUser(userName, password))
{
  // authenticated
}
else
{
  // wrong id and password
}

5. Redirecting Users From the Login Page

Once a user is authenticated, you usually need to redirect a user to the originally requested page or any member-only page you choose.

  • public static void RedirectFromLoginPage(string userName, bool createPersistentCookie)

The “RedirectFromLoginPage()” method is used for this purpose. It redirects a user to the originally requested page, or if it does not exist, the “DefaultUrl” is used for redirection.The sceond parameter is used to create a persistence cookie.

6. Retrieving User’s Identity

Once the user is logged in, you can use the “Page.User” property to access the identity of the user.

The “User” object is the type of “System.Security.Principal.IPrincipal” and it has one property and one method.

  • IIdentity Identity { get; }
  • bool IsInRole(string role)

The “System.Security.Principal.IIdentity” has 3 properties:

  • string AuthenticationType { get; }
  • bool IsAuthenticated { get; }
  • string Name { get; }
// redirected page
protected void Page_Load(object sender, EventArgs e)
{
  System.Security.Principal.IIdentity userIdentity = Page.User.Identity;
  string type = userIdentity.AuthenticationType; // "Forms"
  string authenticated = userIdentity.IsAuthenticated.ToString();
  string name = userIdentity.Name;
  resultMsg.Text = String.Format("Type: {0}, Authenticated: {1}, Name: {2}", type, authenticated, name);
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s