ASP. NET form-based authentication for secure online access and management (1)

 

When will it be used?

For example, ASP. NETProgramThe admin folder is specially used for online management (such as background data maintenance). Generally, visitors cannot access all files in it. only authenticated users can access the service. according to the previous ASP practice, when a user passes the login page, the session (cookie) is set to determine whether the user passes the verification, the authentication statement must be set for the page files in each admin folder, which is not safe. At this time, Asp. one of the four authentication methods of. Net: form-based authentication comes in handy. you only need to place a web with only a few lines of statements in the admin folder. config file.

How to use it?

You can read the introduction in this book (ASP. NET advanced programming published by wrax). However, I have a common method here.
The file directory is:
+ Bin
+ Admin
-*. Aspx
-Web. config // web. config in the admin folder
Login. aspx
Web. config // web. config in the root directory
1. Configure web. config in the root directory

< Configuration >
  < System . Web >
< Authentication Mode = "Forms" >
< Forms Name = "Mycookiename" Loginurl = "Login. aspx" Protection = "All" Timeout = "30" >
</ Forms >
</ Authentication >
< Authorization >
< Allow Users = "*" />
</ Authorization >
  </ System. Web >
</ Configuration >

2. Configure web. config in the admin folder

< Configuration >
  < System . Web >
< Authorization >
< Deny Users = "? "   />
</ Authorization >
  </ System. Web >
</ Configuration >

3. login. aspx Configuration
This page is a login verification page:

< ASP: textbox ID = Textname Runat = Server/> account
<Asp: textpassword ID = Textpassword Runat = Server> Password
<Asp: checkbox ID = Mycheckbox Runat = Server/> remember the password and log on permanently
<Asp: button runat = Server Onclick = Btnloginclick Text = Login/>

 

Process Event 1 (when the user clicks the login button)

Void Btnloginclick (Object sender, eventargs E)
{
  If (User verification passed) // This can be done by placing your own DLL file in the bin directory to verify the user and return a bool.
  {
Formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked );//This statement is used to store cookies to indicate the user's username. text verification, you can access the admin folder. In addition, if the permanently logged-in checkbox is checked, the cookie validity period can be up to 50 years (the default time is the browser time ).
Responseredirect ("Admin");//In this case, you can access the admin folder without interruption.
}
}

Process event 2 (when the user has passed verification, there is no need to re-enter the password when accessing login. aspx)
This is automatically completed by form verification, which is equivalent:

Void Page_load (Object sender, eventargs E)
{
 If(Context. User. Identity. isauthenticated) response. Redirect ("Admin");
}

4. logout Verification:
Use formsauthentication. signout ();

In fact, the above solution is not a safe solution, but a practical, simple, and secure verification solution.