| Author: sathiyasivam 16 May 2007 | Member Level: Diamond | Rating:  Points: 2 |
By providing Username and Password .
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
be clear
its form authentication or forms authentication?
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Standard Forms Authentication Setup
Pages used: Default.aspx, Login.aspx, Web.config
In the standard method of Forms Authentication, all user information is stored in the Web.config.
Create a folder named standardForms under your webroot.
Make this folder an application inside the Internet Services Manager. (This should be familiar territory if you ever used the Global.asa in ASP.)
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Web.config Overview
The Web.config contains all of the configuration settings for an ASP.NET application. The idea is to put the control of the Web application in the hands of the developer rather than the system administrator. There are lots of options you can use here. This article details only the ones specific to Forms Authentication today.
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Web.config Code Using the Standard or "Credentials" Method
Authentication
Attributes
Description
Name
This is the name of the cookie used for authentication. NOTE: If multiple applications want to use FormsAuthentication on the same machine, it is best to use unique names.
Path
Path used for cookie. The default value "/" often avoids errors with incorrect case in paths, since browsers are strictly case-sensitive when it comes to returning cookies.
LoginUrl
URL that unauthenticated users are redirected to.
Protection
Method used to protect cookie data. Default and suggested value is "All," which does validation and encryption.
Timeout
Number of minutes until authentication cookie expires.
Credentials
Attributes
Description
passwordFormat
Format the password will be stored in. Valid values include Clear, SHA1, and MD5. SHA1 and MD5 are both hashing algorithms that make storing passwords in the Web.config more secure.
User
This is the area to store the username and password. You can secure the passwords by running the HashPasswordForStoringInConfigFile function to get the hashed password. I will demonstrate this later.
Authorization
Attributes
Description
Deny | Allow
This section allows us to deny or allow users to the site. ? = anonymous/unauthenticated users and * means all users. This section also allows us to specify certain users, and allow or deny permissions.
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Web.config Code
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name="appNameAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30">
<credentials passwordFormat="Clear">
<user name="jeff" password="test" />
<user name="mike" password="test" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Web.config Details
Inside the Web.config above we have configured several options.
Authentication
The mode attribute for the <authentication> configuration section sets the authentication mode to Forms. Inside the <forms> section we are assigning the name attribute to "AppNameAuth". You might want to change the name of the cookie to something like "HRWebAuth", where HRWeb is the name of your application.
Remember, if you are going to have multiple applications on the same machine, it's suggested that you use unique names for your cookies.
Next, we set the path to the root of the application. We assign the loginUrl attribute a local page named loginUrl.aspx. You can use URL paths like https://secured.sumnurv.com for redirection as well. Setting protection to all is the suggested value. This means that the cookie will be both encrypted (using the Triple DES data-encryption standard) and validated.
The validation algorithm comes from the machineKey element located in Machine.config. This data validation ensures that the cookie data wasn't tampered with during transit (someone sniffing traffic and responding with modified cookie).
The timeout attribute refers to the number of minutes before a cookie expires and the user must log in again. In the credentials section, we add two users and their passwords. This is where FormsAuthentication will look to authenticate the users.
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Authorization
In the authorization section, we want to ensure that no unauthenticated users can access the application. The "?" means anonymous users, so we set a deny flag for all anonymous users.
Login.aspx Overview
All user authentication logic is performed here. If you wish to verify a user's credentials against the Web.config, XML or text file, or database, this is the place it would happen. This example shows how to authenticate to the Web.config
Login.aspx Code
<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<script language="VB" runat="server">
Sub ProcessLogin(objSender As Object, objArgs As EventArgs)
If FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, chkPersistLogin.Checked)
Else
ErrorMessage.InnerHtml = "<b>Something went wrong...</b> please re-enter your credentials..."
End If
End Sub
</script>
<html>
<head>
<title>Standard Forms Authentication Login Form</title>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<form runat="server">
<table width="400" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="80">Username : </td>
<td width="10"> </td>
<td><asp:TextBox Id="txtUser" width="150" runat="server"/></td>
</tr>
<tr>
<td>Password : </td>
<td width="10"> </td>
<td><asp:TextBox Id="txtPassword" width="150" TextMode="Password" runat="server"/></td>
</tr>
<tr>
<tr>
<td></td>
<td width="10"> </td>
<td><asp:CheckBox id="chkPersistLogin" runat="server" />Remember my credentials<br>
</td>
</tr>
<tr>
<td> </td>
<td width="10"> </td>
<td><asp:Button Id="cmdLogin" OnClick="ProcessLogin" Text="Login" runat="server" /></td>
</tr>
</table>
<br>
<br>
<div id="ErrorMessage" runat="server" />
</form>
</body>
</html>
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Login.aspx Details
I have referenced the System.Web.Security namespace since we will be working with authentication. All methods of authentication reside in this namespace. FormsAuthentication is a class of the System.Web.Security namespace. Here we have a simple server-side form setup with one textbox and one password input for username and password. I have included a check box in case the user wants to have a permanent cookie set. The Submit button has an event "onclick" which runs a sub called ProcessLogin. Inside ProcessLogin we execute the Authenticate method of the FormsAuthentication class, passing in the given username and password. This method checks the credential's tags inside the Web.config for the username and password. If they match, then we execute the RedirectFromLoginPage with the username and persistent cookie state (if checked). This method then writes a cookie to the user's machine to track them and ensure they are authenticated. If the username and password do not match, then an error occurs and the user is notified.
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Default.aspx Overview
This is the page the user is requesting or trying to access. Here we will display the currently authenticated user and the authentication type.
Default.aspx Code
<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<script language="vb" runat="server">
Sub SignOut(objSender As Object, objArgs As EventArgs)
'delete the users auth cookie and sign out
FormsAuthentication.SignOut()
'redirect the user to their referring page
Response.Redirect(Request.UrlReferrer.ToString())
End Sub
Sub Page_Load()
'verify authentication
If User.Identity.IsAuthenticated Then
'display Credential information
displayCredentials.InnerHtml = "Current User : <b>" & User.Identity.Name & "</b>" & _
"<br><br>Authentication Used : <b>" & User.Identity.AuthenticationType & "</b>"
Else
'Display Error Message
displayCredentials.InnerHtml = "Sorry, you have not been authenticated."
End If
End Sub
</script>
<html>
<head>
<title>Forms Authentication</title>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<span class="Header">Forms Based Authentication using standard method</span>
<br>
<br>
<div id="displayCredentials" runat="server" />
<br>
<br>
<form runat="server">
<asp:Button id="cmdSignOut" text="Sign Out" runat="server" onClick="SignOut" />
</form>
</body>
</html>
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: ChandraShekar Thota 27 Jun 2007 | Member Level: Diamond | Rating: Points: 2 |
Again I have referenced the System.Web.Security namespace since we will need some of its methods and properties. This page contains a simple div element thatwill display the current credentials and authentication type used. There is also a signout input element that runs a sub that deletes the user's cookie. They are then redirected to the login page. In the Page_Load event, I check to see if the user has been authenticated using the User.Identity.IsAuthenticated property. This returns a Boolean value indicating whether or not the user has been authenticated. If the user is authenticated, we want to display the current user's name and the authentication method used. We can access the currently logged on user's name with the User.Identity.Name property. User.Identity.AuthenticationType returns the mode of authentication used. We also use a SignOut procedure that allows the user to sign out and deletes the cookie from the user's computer. This will even delete a persistent cookie.
Chandra Shekar Thota
Microsoft MVP
DNS is Y(Our) Site.Please work more on it to make it Worlds Best Technical Site
chandrashekarthota@gmail.com
|
| Author: Sridhar R 02 Aug 2008 | Member Level: Diamond | Rating: Points: 3 |
Verify this link..This may help u...
http://www.devhood.com/Tutorials/tutorial_details.aspx?tutorial_id=85
http://msdn.microsoft.com/en-us/library/aa480476.aspx
Regards
Sridhar R
Nothing is illegal, Until You Get Caught
With Tears...Sridhar R
|
| Author: asdf 14 Aug 2008 | Member Level: Silver | Rating: Points: 0 |
It’s for validate the anonymous user credentials.
System.Web.Security namespace is needed.
FormAuthenticationModule which is in HttpModule class.
If ticket is present, Security context is created by HttpContext.Current.User property with default instance of GenericPrinciple which contains FormsIdentity instance with the name of currently logged-in user.
Eg.
<authentication mode=”Forms”>
<forms loginUrl=”frmLogin.aspx” timeout=”1”/>
</authentication>
<authorization>
<allow users=”?”/>
<deny users=”?”/>
</authorization>
|