ASP. NET security question-Forms verification practice
Through several previous articles, I believe that you have a certain understanding of Forms verification, as well as the concepts of Identity, IPrincipal, and Bill. The previous website has never linked verification with the database. This article explains how to use code to demonstrate it! In addition, some role authorization issues are also involved in the code!
Today's topic is as follows:
First, let's assume that the user has opened our homepage Default. aspx, but some resources can only be viewed by the login user. If the user wants to view these resources, he needs to log on. This user already has an account. (The main topic in this article is identity authentication. As for how to create a user account, we don't care about it. There are many methods, such as inserting a database directly !)
Let's talk about some of our processes:
User Logon: Enter the user name and password in the input box.
. Click "Log on" to check whether the user exists in the database.
If yes, the server code creates an authentication ticket, stores it in the cookie, and sends it to the browser of the client.
. If the user already has a verified cookie, the page will jump to the page previously requested by the user
Database preparation
Next we will start to detail:
First of all, we must first create a database, and then create a user information table named Login. In this table, we create three fields: UserName, UserPassword, userRole (you can create more fields. I will just demonstrate it here and you can expand it ). as for the data in the table, you can insert a few items at will!
Because we often need to verify the user, we write the user verification code as a method in the Helpers. cs class under the App_Code directory.
The Code is as follows:
{SqlConnection con. ConnectionString ConfigurationManager. ConnectionStrings ["MyConnectionString"]. ConnectionString;
SqlCommand com. Connection com. CommandText
Com. Parameters. AddWithValue ("@ Username", username );
Com. Parameters. AddWithValue ("@ Password", password );
Con. Open ();
Con. Close ();
} Then we will create a Login page Login. aspx, and put two TextBox on the page for the user to enter the user name and password respectively. Put a button to log on. Return to Helpers. cs and add another method to obtain the role of the User: {
Con. ConnectionString ConfigurationManager. ConnectionStrings ["MyConnectionString"]. ConnectionString;
SqlCommand com. Connection
Com. Parameters. AddWithValue ("@ Username", username );
Con. Open ();
Con. Close ();
} To enable Forms authentication, we also get the configuration in the web. config file, as shown below: Anonymous users are not allowed to access our website: Then we started to write code under the Login. aspx Login button:The basic idea is as follows:Verify whether the user exists ,. if a user's role creates authentication tickets and cookies at the same time, and the code sent to the client's browser is annotated, the previous basics are passed, I believe that the following code is correct. {
{
UserName. Text, DateTime. Now, DateTime. Now. AddSeconds (
}
} Okay. Now, if we enter the correct user name and password, we will have the authentication cookie in our browser. Now our page will be immediately taken from the original Login. aspx switched to Default. the aspx page is now in progress, and we need to analyze this process in our minds.
In Login. aspx switched to Default. in the process of aspx page jump, we are actually requesting Default. aspx page. There is no difference in the previous request process. It also requires ASP. NET, but this time our browser already has authentication cookies, ASP.. NET is being processed at runtime. when processing the Application_AuthenticateRequest event, we need to parse our cookie. In fact, before we log on, we resolved the cookie in the Event code, but at that time we did not find the cookie.
In the code of the Application_AuthenticateRequest event, the cookie is parsed, the user's identity is identified, and the user's identity information is saved as follows: Code
{
HttpApplication app
{
FormsAuthentication. Decrypt (encryptedTicket );
App. Context. User}
} We can see the last line of code:App. Context. User = user; stores the User's identity and role information in the User attribute.On the page, we can use the following method to determine whether the user has logged on: {
Use the following method to determine whether a user belongs to a role: {
Source: http://www.cnblogs.com/yanyangtian/archive/2009/06/01/1493722.html
