Asp. Net: forms-based Authentication

asp.net forms-based validation is the most common type of validation that can be easily and flexibly applied to applications. Forms validation provides good support for user-based authentication authorizations, which can authenticate a user's identity through a login page, send the user's identity back to the client's cookie, and then access the Web application to the server with this identity cookie. The authorization settings on the server can be controlled according to the access authorization of different users in different directories.

To take form validation, first do the appropriate setting in the Web.config in the application root directory:

<authentication mode= "Forms" >

<forms name= ". Aspxauth "loginurl="/login.aspx "timeout=" path= "/" >

</forms>

</authentication>

where <authentication mode= "forms" > means that this application uses forms validation.

(1) The name in the <Forms> label specifies the HTTP Cookie to use for authentication. By default, the value of name is. Aspxauth. After authenticating the user in this way, a FormsAuthenticationTicket type of authentication ticket is established with the user's information, then encrypted into a string, and finally the string is written to the cookie of the client's name specified name. Once this cookie is written to the client, this user will be sent to the server with the cookie once again, and the server will know that the user is authenticated.

If you look at the information that the authentication ticket contains, let's take a look at the FormsAuthenticationTicket class:

Cookiepath: Returns the path where the Cookie is issued. Notice that the path to the form is set to/. Because forms are case-sensitive, this is a protective measure to prevent the case of URLs in a site that are not case-sensitive. This is used when the Cookie is refreshed.

Expiration: Gets the date/time when the Cookie expires.

Ispersistent: Returns True if a persistent Cookie has been issued. Otherwise, the authentication Cookie is limited to the browser life cycle scope.

IssueDate: Gets the date/time when the Cookie was originally issued.

Name: Gets the user name associated with the authentication Cookie.

UserData: Gets the application definition string stored in the Cookie.

Version: Returns the byte version number for future use.

(2) <Forms> the loginurl in the label specifies the URL to redirect the request to if no valid authentication cookie is found. The default value is Login.aspx. Loginurl specified page is used to authenticate the user, generally this page provides user input user name and password, the user submitted by the program to their own needs to verify the legality of the user (most of the situation is the user input information in the database with the user table to compare), if the validation of the user is valid, Generates the authentication ticket corresponding to this user, writes to the cookie of the client, and finally redirects the browser to the page of the user's initial request, generally using the FormsAuthentication.RedirectFromLoginPage method to complete the generation of the authentication ticket. Write back to the client, browser redirection, and so on a series of actions. The RedirectFromLoginPage method contains 3 parameters, and the function is defined as follows:

public static void RedirectFromLoginPage (string userName, bool createPersistentCookie, string strCookiePath)

which

UserName: This is the user's logo, used to mark the only indication of this user, not necessarily to map to the user account name;

createPersistentCookie: Indicates whether a persistent Cookie is issued. If it is not a persistent cookie, The validity of a cookie expiration property has the current time plus web.config in the timeout time, each request page, in the authentication process, will determine whether the expiration of half, if the words update the validity of a cookie; if lasting cookie,expiratio n attribute is meaningless, then the validity of the authentication ticket has the expires decision of the cookie, the RedirectFromLoginPage method gives the Expires attribute is 50 years validity;

strCookiePath: Identifies the path to write the generated cookie to the client, which is saved in the authentication ticket when the authentication ticket cookie is refreshed (this is also the path that generated the cookie), and if there is no strCookiePath parameter, You use the setting of the path attribute in web.config.

As you can see here, there are only three parameters for this method, and there are seven properties for the authentication ticket, and the insufficient four parameters are as follows:

Issuedate:cookie issue time from the current time to draw;

Expiration: The expiration time is calculated from the current time and the timeout parameter in the <Forms> tag below. This parameter is meaningful for non-persistent cookies;

UserData: This property can be written to some user-defined data by the application, this method does not use this attribute, but simply put this attribute to an empty string, please note this property, in the following we will use this property;

Version: The release number is provided automatically by the system.

After the RedirectFromLoginPage method generates the generated authentication ticket, it invokes the Formsauthentication.encrypt method, encrypting the authentication ticket as a string, which will be the string. Aspxauth is the value of a cookie for the name. The other attributes of this cookie are generated: The Domain,path property is a true value, expires depending on the createPersistentCookie parameter, if the persistent cookie,expires is set to expire after 50; if it is not a persistent cookie, The Expires property is not set.

After the authentication cookie is generated, the cookie is added to the response.cookies, waiting to be sent to the client.

Finally, the RedirectFromLoginPage method calls the Formsauthentication.getredirecturl method to obtain the page that the user originally requested and redirects to this page.

(3) <Forms> the timeout and path in the label are provided with the authentication ticket written to the cookie expiration time and the default path.

After a few steps, the forms-based authentication process is complete. Forms-based authentication is very flexible when used, and can be managed according to the user's identity, including role-based user Rights Management. In the following section, we cover windows-based authentication.

The following example demonstrates how to use form validation to achieve ASP.net security control. The instance is done in the Myfirst application that we have built earlier, which contains two Web forms, one is index.aspx, the default home page, and the other is Login.aspx, which is logged on to the system page on behalf of the user.

The first is the Web.config configuration file, as follows:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<system.web>

<compilation defaultlanguage= "VB" debug= "true"/>

<customerrors mode= "RemoteOnly"/>

<authentication mode= "Forms" >

<forms name= ". Aspxauth "loginurl=" Login.aspx "timeout=" ></forms>

</authentication>

<authorization>

<deny users= "admin2"/>

<deny users= "?"/>

</authorization>

<trace enabled= "false" requestlimit= "ten" pageoutput= "false" tracemode= "SortByTime" localonly= "true"/>

<sessionstate

Mode= "InProc"

Stateconnectionstring= "tcpip=127.0.0.1:42424"

sqlconnectionstring= "Data source=127.0.0.1; Trusted_connection=yes "

Cookieless= "false"

Timeout= "20"

/>

<globalization requestencoding= "Utf-8" responseencoding= "Utf-8"/>

</system.web>

</configuration>

The HTML code for the index.aspx is as follows:

<%@ Page language= "vb" autoeventwireup= "false" codebehind= "Index.aspx.vb" inherits= "Myfirst.webform2"%>

<! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 transitional//en" >

<HTML>

<HEAD>

<title> Authentication instance based on Web Forms </title>

<meta content= "Microsoft Visual Studio. NET 7.1" name= "generator" >

<meta content= "Visual Basic. NET 7.1" name= "Code_language" >

<meta content= "JavaScript" name= "vs_defaultClientScript" >

<meta content= "http://schemas.microsoft.com/intellisense/ie5" name= "Vs_targetschema" >

</HEAD>

<body ms_positioning= "GridLayout" >

<form id= "Form1" method= "POST" runat= "Server" >

<font face= "Song Body" >

<asp:button id= "Button1" style= "Z-INDEX:101; left:112px; Position:absolute; top:72px "runat=" Server "

text= "Delete Cookies" ></asp:Button></FONT></form>

</body>

</HTML>

[1] [2] Next page