Jan. 18, 2011, 6:57 p.m.
posted by ninjacat
Version 1.1 of ASP.NET provided many built-in security services for developers to take advantage of. A common favorite is Forms-based authentication.
Forms-based authentication allows Web developers to easily build applications that require authentication to access secured resources. However, rather than relying on Windows Authentication, Forms-based authentication allows us to author a simple ASP.NET login page. ASP.NET is then configured so that any unauthenticated requests are redirected to the login page (see Figure on the next page).
The login page is a simple ASP.NET page used to collect and verify the user's credentials. It is the responsibility of the login page to determine whether the user credentials are valid; typically this information is stored in a database.
Listing 6.1 shows an example of a login page written in ASP.NET 1.1.
<%@ Page Language="VB" %> <%@ import namespace="System.Data" %> <%@ import namespace="System.Data.SqlClient" %> <script runat="server"> Public Sub Login_Click(ByVal sender As Object, ByVal e As EventArgs) Dim userId As Integer Dim reader As SqlDataReader Dim connectionString = _ ConfigurationSettings.ConnectionStrings("MyConnectionString") Dim conn As New SqlConnection(connectionString) Dim command As New SqlCommand("dbo.Authenticate", conn) ' Set the command type to stored procedure command.CommandType = CommandType.StoredProcedure ' Set @Username and @Password command.Parameters.Add("@Username", _ SqlDbType.NVarChar, 256).Value = Username.Text command.Parameters.Add("@Password", _ SqlDbType.NVarChar, 256).Value = Password.Text ' Open the connection and execute the reader conn.Open() reader = command.ExecuteReader() ' Read the value we're looking for reader.Read() userId = Integer.Parse(reader("UserId")) ' Close connections reader.Close() conn.Close() ' Did we find a user? If (userId > 0) Then FormsAuthentication.RedirectFromLoginPage(Username.Text, _ False) Else Status.Text = "Invalid Credentials: Please try again" End If End Sub </script> <html> <body style="FONT-FAMILY: Verdana"> <H1>Enter your username/password</H1> <form id="Form1" runat="server"> Username: <asp:textbox id="Username" runat="server" /> <br> Password: <asp:textbox id="Password" runat="server" /> <p> <asp:button id="Button1" text="Check if Member is Valid" onclick="Login_Click" runat="server"/> </form> <font color="red" size="6"> <asp:label id="Status" runat="server"/> </font> </body> </html>
In the above sample the login page raises the Login_Click event, connects to a database, calls a stored procedure to verify the submitted username and password, and then either uses the FormsAuthentication APIs to log the user in or tells the users that the credentials are invalid.
The ASP.NET FormsAuthentication class is used to encrypt the username and store it securely in an HTTP cookie. On subsequent requests this HTTP cookie, with its encrypted contents, is decrypted and the user automatically reauthenticated.
Forms Authentication is definitely a great feature, but what makes it even better is the reduction of the code the developer must write. Forms Authentication isn't something new introduced by ASP.NET. Rather, ASP.NET is simply providing an easier way to solve the problem; in the past, most developers would have needed to author this code plus infrastructure on their own.
One of the things you may have noticed about the ASP.NET team members: They are always looking for ways to make things easier. They want developers to solve problems without writing hundreds of lines of code. For ASP.NET 2.0 they're again tackling many security-related problems and providing new features to make things simpler.
In this chapter we're going to examine some of the security infrastructure and controls that have been added in ASP.NET 2.0. We'll start by looking at the new Membership feature. Membership solves the user credential storage problem, a problem most developers solved themselves in ASP.NET 1.0.