C# Tutorials and offshore development in India
    Tutorials   Resources   Forum   Reviews   Communities   Interview   Jobs   Projects   Training   Your Ad Here    
Silverlight Games | Mentor | Code Converter | Articles | Code Factory | Computer Jokes | Members | Peer Appraisal | IT Companies | Bookmarks | Polls | Revenue Sharing | Lobby | Gift Shop |


Prizes & Awards
My Profile



Active Members
TodayLast 7 Days more...




Resources » Articles » .NET Framework »

ASP .NET: Securing ASP.NET Applications with C#


Posted Date: 08 Apr 2006    Resource Type: Articles    Category: .NET Framework
Author: ankitaMember Level: Gold    
Rating: 1 out of 5Points: 7



Asp.net Security Overview: Security is one of the most important component of any application. Security is even more important when you are making a web application which is exposed to million of users. Asp.net provides classes and methods that ensure that the application is secure from outside attacks. In this article we will investigate the different types of authentication provided by Asp.net.
Windows Authentication
Windows Authentication mode provides the developer to authenticate a user based on Windows user accounts. This is the default authentication mode provided by Asp.net. You can easily get the Identity of the user by using User.Identity.Name. This will return the computer name along with the user name. Windows authentication also provides IsInRole method to find the role of the user and than you can give permissions to the user depending on the role.

Forms Authentication
First you need to set up the forms authentication in the web.config file. If you see in the web.config file there will be a tag like this:



< authentication mode="Windows" / >


By default it is set to the Windows authentication mode in order to change this to forms authentication you will just need to change the windows to forms as I have shown below:

< authentication mode="Forms" / >

Okay so now you have set your application to use the features of the forms authentication instead of the windows authentication.


Storing username and password in the Web.config file:
If you have very few users that needs to use the application than you can set the username and passwords in the web.config file.


If you have very few users that needs to use the application than you can set the username and passwords in the web.config file. 

<  authentication mode="Forms " > 

< forms loginUrl="Login.aspx" >

<redentials>
<user name="Joe" password="Smith" /  >

< /  credentials  >

<  forms >

</ authentication >


You will see some new tags and attributes above lets explain all of them: 

The tag forms has an attribute loginUrl which is the url of the page the users will be redirected if they try to access an authorized page. In this case we have given the url as Login.aspx which means that if some user is trying to access some page and he is not signed in he will be redirected to the Login.aspx page. 

Later we have the credentials tag which has attributes username and password. The username and password is simply the username and password for a particular user. All the usernames and passwords that are present in the web.config files tag will be authorized to user the pages. 

You can have multiple user name and password stored in a single web.config file. As you can see in the code below I have stored 2 username and their passwords: 

You will see some new tags and attributes above lets explain all of them: The tag forms has an attribute loginUrl which is the url of the page the users will be redirected if they try to access an authorized page. In this case we have given the url as Login.aspx which means that if some user is trying to access some page and he is not signed in he will be redirected to the Login.aspx page. Later we have the credentials tag which has attributes username and password. The username and password is simply the username and password for a particular user. All the usernames and passwords that are present in the web.config files tag will be authorized to user the pages. You can have multiple user name and password stored in a single web.config file. As you can see in the code below I have stored 2 username and their passwords: 

<: authentication mode="Forms" >

<: forms loginUrl="Login.aspx" >

<:credentials>

<: user name="Joe" password="Smith" / >

<: user name="azam" password="hello" / >

<: / credentials >

<: / forms>

<: / authentication >
Okay so now you got the username and passwords stored in the web.config file and now you want to authenticate the user depending on the credentials present in the web.config file. Let's set one more thing up which is the authorization tags in the web.config file. 

< authorization >

< deny users="?" / >

< / authorization >


The deny users = "?" means that all the other users whose name is not present in the web.config file must not be able to access the pages. 

Lets make a simple login screen that lets the user enter his credentials: 

Suppose you are too lazy to change your page name from WebForm1 to Login.aspx. Now if you run the page you will see an error that there is no Login.aspx page. You will be surprised that what is asp.net looking for Login.aspx page. The reason is that because you told the Asp.net that the login page will be named Login.aspx remember:

Responses
Author: amit khosla    10 Apr 2006Member Level: Gold   Points : 0
The authentication is covered beautifully.


Feedbacks      
Popular Tags   What are tags ?   Search Tags  
Sign In to add tags.
(No tags found.)

Post Feedback


This is a strictly moderated forum. Only approved messages will appear in the site. Please use 'Spell Check' in Google toolbar before you submit.
You must Sign In to post a response.
Next Resource: Late binding for Excel Automation
Previous Resource: Creating List/ArrayList of your own type
Return to Discussion Resource Index
Post New Resource
Category: .NET Framework


Post resources and earn money! 		 
More Resources


dotNet Slackers

About Us    Contact Us    Privacy Policy    Terms Of Use