ASP. NET Forms Verification

ASP. NET Forms authentication

User verification is a required module for each project. Because it has not been met for a long time, today, a blank mind is written for user verification. As a result, I had a discussion with a colleague. At night, I decided to record the results of the discussion for later needs. There are several methods for user authentication in ASP. NET: Windows authentication, Forms authentication, and Passport authentication. Of course, users can also customize and verify methods, and Forms verification is the most commonly used method. This is also the verification method to be discussed today.

For ASP. NET Forms authentication, you must first configure the web. config file and configure the authentication node as Forms authentication, which is Windows authentication by default. When modifying the configuration file, pay attention to the Case sensitivity. Because the XML file is case sensitive, the modified authentication node is shown below, which also contains some form configuration parameters.

 
 

  
  
<authenticationmodeauthenticationmode="Forms"> 
  
  
<forms 
  
  
protection="All" 
  
  
timeout="20" 
  
  
name=".XDOTNET" 
  
  
loginUrl="SignIn.aspx" 
  
  
defaultUrl="Default.aspx" 
  
  
path="/" 
  
  
requireSSL="false" 
  
  
enableCrossAppRedirects="false" 
  
  
> 
  
  
</forms> 
  
  
</authentication> 
 
 

The attributes of forms nodes will be used later to introduce the relevant members of the FormsAuthetication class. User verification, as its name implies, verifies the rationality of a user. When a user logs on to a website, it verifies that the entered user name and password are consistent with the data stored in the database. In fact, it is very simple, there is a fast method, this verification method is very suitable for the background management verification, because when we close the browser, the verification will become invalid.

 
 

  
  
publicstaticboolValidUser(stringuserName,stringpassword)  
  
  
{  
  
  
if(!string.IsNullOrEmpty(userName)&&!string.IsNullOrEmpty(password))  
  
  
{  
  
  
password=FormsAuthentication.HashPasswordForStoringInConfigFile(password,"MD5");  
  
  
stringrealPassword=Users.GetUser(userName).Password;  
  
  
if(string.Compare(password,realPassword,true)==0)  
  
  
{  
  
  
FormsAuthentication.SetAuthCookie(userName,false);  
  
  
returntrue;  
  
  
}  
  
  
}  
  
  
returnfalse;  
  
  
} 
 
 

The above method can verify the data verification of the Password encrypted with 32-bit MD5. The Users. GetUser (string) method is to obtain the user instance from the database by using the user name. When the user is reasonable, an authentication ticket will be created for the user using the FormsAuthentication. SetAuthCookie method) and added to the Cookie set or URLcookieless of the response ). In this way, the user authentication process is implemented. How can we get the user verification? Microsoft keeps encapsulating programs and making them foolish. Of course, it is very easy to get the current user to pass the verification. The Code is as follows:

 
 

  
  
public static bool IsAuthenticated()   
  
  
{  
  
  
return HttpContext.Current.User.Identity.IsAuthenticated;  
  
  
} 
 
 

Is it easy? When the user only needs to manage the verification in the background) The verification is okay as long as the two steps are taken. When the user logs on, such as calling the ValidUser method, when loading the page, the IsAuthenticated method is used to determine whether the current user has passed verification. Such a user verification module is complete, but in the modern network, users are quite valuable, and every website wants to retain a lot of users; sometimes some items can only be viewed by Members, and so on. This requires better verification. After closing the browser, the user is still in the verified status for a specific period of time. In this case, you need to operate and set the authentication ticket FormsAuthenticationTicket. The Code is as follows:

 
 

  
  
Public static bool ValidUser (string userName, string password)
  
  
{
  
  
If (! String. IsNullOrEmpty (userName )&&! String. IsNullOrEmpty (password ))
  
  
{
  
  
Password=FormsAuthentication. HashPasswordForStoringInConfigFile (password, "MD5 ");
  
  
StringRealPassword=Users. GetUser (userName). Password;
  
  
If (string. Compare (password, realPassword, true) = 0)
  
  
{
  
  
FormsAuthenticationTicketTicket=NewFormsAuthenticationTicket (1,
  
  
UserName,
  
  
DateTime. Now,
  
  
DateTime. Now. AddMinutes (20 ),
  
  
False,
  
  
Null // You can split Roles into strings by "," and write them into cookies.
  
  
);
  
  
StringData=FormsAuthentication. Encrypt (ticket );
  
  
HttpCookieCookie=NewHttpCookie (FormsAuthentication. FormsCookieName, data );
  
  
Cookie. Path=FormsAuthentication. FormsCookiePath;
  
  
Cookie. Domain=FormsAuthentication. CookieDomain;
  
  
Cookie. Expires=Ticket. Expiration;
  
  
HttpContext. Current. Response. Cookies. Add (cookie );
  
  
Return true;
  
  
}
  
  
}
  
  
Return false;
  
  
}
 
 

The FormsCookiePath and CookieDomain in the Code are obtained from the configuration file. Other FormsAuthentication members can access MSDN (FormsAuthentication ). We can also use the HttpContext. Current. User object to determine the Current User's status, or use the IsInRole method to determine the User's role. After verifying the User, add the User to the User object of the current request in the Http context HttpContext. The Code is as follows:

 
 

  
  
FormsIdentity identity = new FormsIdentity(ticket);  
  
  
GenericPrincipal user = new GenericPrincipal(identity, new string[] { });  
  
  
HttpContext.Current.User = user; 
 
 

This completes the entire process of ASP. NET Forms authentication. As for checking the user's Cookie to determine whether the user has a record status such as record 1 month, 1 day, 1 year, etc.), you can judge and write it in the pipeline, and I will not go into details here. OK. Because of the time, record this. If there is any error or better method, please point it out. Thank you.

1. Analysis of Theme functions in ASP. NET development skills
2. ASP. NET Dynamic Compilation
3. Analysis on ASP. NET supported by Apache
4. Introduction to ASP. NET Server standard controls
5. Analysis on SQL Server Database Backup Recovery in ASP. NET