oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

ASP.NET Forms Security

by Jesse Liberty, coauthor of Programming ASP.NET, 2nd Edition

"Wow!" That is my honest opinion about the level of support built into ASP.NET 2.0 for forms-based security. To see how easy it is to provide login screens and authentication, you only need to put together a relatively small application and compare the work you have to do in 2.0 with the work you would have had to do in 1.1.

Rather than belabor the point, we'll just walk through an example using the May 2005 Community Edition available for download from Microsoft for Universal MSDN subscribers, people who went to TechEd, and a few other friends of Bill. Because some of you may not have access to Visual Studio .NET 2005, I'll provide numerous screen shots as I walk through the application.

To begin, create an empty directory called WebFormSecurity. In the IIS manager (accessed through the control panel), create a virtual directory to point to the WebFormSecurity folder, and after it is created, click Properties. In the Properties window, click on the ASP.NET tab, and then click Edit Configuration. Click on the Authentication Tab and set the Authentication Mode to Forms, as shown in Figure 1.

Figure 1.

If you return to the directory you created, you'll find that a web.config file has been created for you, with a configuration section in which the authentication mode is set to forms. Now fire up Visual Studio .NET and create a new web site named WebFormsSecurity in C#, as shown in Figure 2.

Figure 2.

ASP.NET 2.0 will create a new web site for you and will create a Default.aspx page, as well. Your goal will be to have two pages: a default page that displays different information to users who are logged in than to users who are not yet logged in, and a login page that allows the user to log in.

In order to have users log in, however, you must first create a database of users. To do so, you'll want a page that lets your users create an account. Let's start there, by creating a new page called CreateAccount.aspx. Right-click on the project and choose New Item. Create the new page, as shown in Figure 3.

Figure 3.

The Create User Wizard

Click on the design tab for your page, and then click on the Security tab in the toolbox. Drag an instance of CreateUserWizard onto your page, as shown in Figure 4.

Figure 4.

As you can see, this is a very powerful control. It prompts the user for a username, a password (twice), an email address, and a security question and answer. All of this is configurable through the HTML that is created by this control.

Click on the control and scroll through the properties to find the ContinueDestinationPageURL. Click the Browse button and choose the CreateAccount.aspx page, so that you'll be brought back to the same page after the new user is confirmed. Finally, set the CreateAccount.aspx page as your Start page, and fire up the application. You will be prompted to add a new user, as shown in Figure 5.

Figure 5.

Click the Create User button. You should see a confirmation screen and a button marked Continue. Clicking Continue will bring you back to the Create Account form to add another user. Add a few; you'll find that it won't let you enter the same username twice, that the two passwords must match, and that the required fields must have text. All of this is managed by Field Validator controls within the HTML created by the wizard control.

Pages: 1, 2

Next Pagearrow