·Windows – When an application uses Windows authentication it is the web server’s responsibility to authenticate the visitor, and this is usually done through Basic, Digest, or Integrated Windows authentication.
·Forms – users are authenticated via a form on a web page.
·Passport – users are authenticated using Microsoft’s Passport Network.
·None – no authentication model is used; all visitors are anonymous.
Lets take a look at form authentication.
In the web.config set
<authentication mode="Forms"/> <forms loginUrl="Login.aspx"protection="All"timeout="30"cookieless="UseDeviceProfile"/>
The default attribute values are described below:loginUrl points to your application's custom logon page.
protection is set to All to specify privacy and integrity for the forms authentication ticket. This causes the authentication ticket to be encrypted using the algorithm specified on the machineKey element, and to be signed using the hashing algorithm that is also specified on the machineKey element.timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie..cookieless is set to UseDeviceProfile to specify that the application use cookies for all browsers that support cookies. If a browser that does not support cookies accesses the site, then forms authentication packages the authentication ticket on the URL.
The UrlAuthorizationModule class is used to help ensure that only authenticated users can access a page. In the web.config set
<authorization><deny users="?" /></authorization>
When a browser requests an aspx page in the applications virtual directory this what happens.
The IIS would allow the request as it is configured for annonymous access.Since the asp.net includes an authorization element it will deny the request for unauthenticated requests.The asp.net would look for the authentication ticket on the incoming request and if it fails to find it it redirects the user to the loginurl specified in the web.config and the query string also includes the Returnurl of the requested page.In the login page the users credentials are checked against a data store and the user is validated and redirected to the page in the Returnurl in the query string.The membership class provides the user validation
f (Membership.ValidateUser(userName.Text, password.Text))
{
if (Request.QueryString["ReturnUrl"] != null)
{
FormsAuthentication.RedirectFromLoginPage(userName.Text, false);
}
else
{
FormsAuthentication.SetAuthCookie(userName.Text, false);
}
}
else
{
Response.Write("Invalid UserID and Password");
}
The FormsAuthentication class creates the authentication cookie automatically when the FormsAuthentication.SetAuthCookie orFormsAuthentication.RedirectFromLoginPage methods are called.
When the authenticated user requests the page again ,the FormsAuthenticationModule class detects the forms authentication cookie and authenticates the user. After successful authentication, theFormsAuthenticationModule class populates the current User property, which is exposed by the HttpContext object, with information about the authenticated user.
The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. You should allow forms authentication to manage these tasks for you. If your applications have specific requirements, such as setting the User property to a custom class that implements the IPrincipal interface, your application should handle the PostAuthenticate event. The PostAuthenticate event occurs after the FormsAuthenticationModule has verified the forms authentication cookie and created the GenericPrincipal and FormsIdentity objects. Within this code, you can construct a custom IPrincipal object that wraps the FormsIdentity object, and then store it in the HttpContext. User property.
Note If you do this, you will also need to set the IPrincipal reference on the Thread.CurrentPrincipal property to ensure that theHttpContext object and the thread point to the same authentication information.
Using the MemberShip Provider
The provider model in ASP.NET 2.0 provides extensibility points for developers to plug their own implementation of a feature into the runtime. Both the membership and role features in ASP.NET 2.0 follow the provider pattern by specifying an interface, or contract.
The MembershipProvider requires a membership class to implement a ValidateUser method. The default membership provider in 2.0, the SqlMembershipProvider, implements this method by executing a stored procedure in a SQL Server database. If you want to write your own provider to use an XML file as a data store for membership information, you’ll have to write the code for ValidateUser to verify a user’s password against information kept in the XML file.
The beauty of the provider model is this: higher-level application services can build upon a provider and not need to know the details of what happens behind the interface. A good example is the ASP.NET 2.0 membership controls, which include a Login control, a CreateUser control, a LoginStatus control, and more. All of these controls program against the MembershipProvider contract. At some point, the login control will need to invoke the ValidateUser method on the configured provider. The login control doesn’t care if the call travels to a SQL Server database or an XML file. All the login control cares about is passing in a username and a password and receiving a true or false value in return.
The login controls intergrates well into the membership provider.
Next lets create a login page named login to validate the users credentials.Once the page is created the new login control that comes along with asp.net 2.0 can be used in this page.This control basically performs the basic login page functionality and also can be set to perform all the needed control validation by setting properties at design time!
The Control also gives us the option to add links on the new page. In this case I have added the the links to the New user sign up and the Forgot password link.
For the login controls to become fully functional we would need to add a schema provided by microsoft to our database. We could use a tool to do this.
In run enter %WINDIR%\Microsoft.Net\Framework\v2.0.50727\aspnet_regsql.exe to run the tool. The tool has UI which would prompt us to enter the database to add the schema too. Once the schema is added to our database a lot of tables stored procedures etc get created in our database. Two tables that are used by Membership provider for storing user information are aspnet_Users and aspnet_membership.
When a new user signs up using the Create User Wizard control his information is stored into these tables.
The database connection string would look like
<connectionStrings>
<clear/>
<add name="LocalSqlServer" connectionString="Data Source=.\SQLEXPRESS;Initial Catalog=HomeManagementSystem;Integrated Security=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
This name LocalSqlServer, it's the name that ASP.NET will be looking for and one that's hard wired into your machine.config if you had installed SQL Express . Second, you can override the Membership tag with your own personal preferences and take it from this using the clear tag
The membership provider settings in the web.config would look like
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="HomeManagementSystem" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
Like i mentioned before once the new user is created the user information is stored in the aspnet_Users and aspnet_membership tables. The controls in . e form can be validated by setting the validation properties at design time. We could even customize the controls as per our needs. But for doing that the control would need to be converted to a template at design time which would generate the html code for the controls.
Lets go back to the login page once again. Once a new user signs up he would be redirected to the login page and would be able to login using his credentials.If the user clicks on the remember be next time check box his cookie would be persisted after the browser is closed. Once the user is validated against the membership database he would redirected to the requested page (please note the ReturnUrl in the url string).
I will be discussing the forgot password control in a different blog.
References:
2. http://www.odetocode.com/Articles/427.aspx
Posts
Nice article..helped me understand form authentication better..
ReplyDelete