ASP. NET-logon permission

(1) Basic knowledge about "permission Verification: 

We usually noticed the following phenomenon: in some forums, we can view others' posts. However, if you click Reply, you will not jump to the Reply page similar to Reply, but to Login. aspx page. If you do not know whether ASP. NET still has such a function to conveniently detect anonymous user logon, you will usually choose Session to record the function. The simple code is usually like this:

• First, write a class that directly inherits from System. Web. UI. Page, and then Coding:

Public partial class RegisterRequired: System. Web. UI. Page

{

Protected void Page_Load (object sender, EventArgs e)

{

If (Session ["username"] = null)

{

Response. Redirect ("Login. aspx? FromUrl = "+ Request. Url. AbsoluteUri

");

}

}

}

• You can make it inherit RegisterRequired directly on the page to be verified, write some methods on the Login page to verify, and then directly: Response. Redirect (Request ["FromUrl.

This is of course no problem, but you need to repeatedly specify functions such as redirection. Relatively speaking, Microsoft has abstracted a class called FormsAuthentication, which is used to publish creden。 (verify whether the current customer is anonymous or logged on ). This class uses cookies for verification.

1) First, you mustWeb. configIn<System. web>Node Configuration:

<Authentication Mode = "Forms">

<Forms Name = "Cookie Name" Timeout = "60" Cookieless = "AutoDetect" slidingExpiration = "true" loginUrl = "Login. aspx"/>

<Authentication>

We usually only need to set it like this. Now let's explain the usage of the following main parameters one by one:

• Name: Cookie Name, which can be customized.
• Timeout: specifies the time when the Cookie expires. If the Cookie expires (that is, if you click the time interval of Timeout after a page, redirect to a page that does not allow anonymous users again, it will return to the page specified by loginUrl and request a new login. Unit: seconds ).
• Cookieless: Cookie mode (automatic detection is recommended to prevent some users from disabling cookies. At this time, the Cookie will be embedded into the current address bar as a string ).
• SlidingExpiration: Set the Cookie expiration mode:

If it is true, it means that as long as the user browses the page, the Cookie time will automatically start timing again based on the previous time (for example, you define 30, then, when you log on to a page in 29th seconds, the Cookie starts timing from 0 seconds and does not take effect until the next 30 seconds ).

If it is false, the browser can only be viewed within the specified seconds, and the automatic redirect is exceeded (true is recommended ).

• LoginUrl: If there is no Cookie (anonymous user) to access a page that is not allowed to be accessed by anonymous users, the page is automatically redirected to the logon page and the user is forced to log on to obtain the Cookie.

2) After completing these operations<System. web>In the node, you must specify which pages (not) are allowed for anonymous access:

<Authorization>

<Allow users = "*"/>

<Deny users = "?" />

</Authorization>

This definition indicates:InWeb. configAll the pages under the defined same level directory must obtain creden (Cookie) Before you access ("*"Represents any user,"?"Anonymous user)Otherwise, directly redirect to the logon page.

Generally, the Default. aspx page allows access by others (stored in the root directory of the web program, and the rest in different folders as needed ). If you want to set "anonymous users can access Default. aspx directly, but nothing else can be done", the comparison is as follows:

• Do not write (<authorization>) The web. config in the same directory as Default. aspx.
• Create a web. config in the folder to be verified, and then write "<authorization>

.

If you want to write all the page configurations of different folders in the web. config in the root directory, you can do this:

<Location path ="Page or folder">

<System. web>

<Authorization>

<Allow users = "*"/>

<Deny users = "?" />

</Authorization>

</System. web>

</Location>

3After completing the preceding steps, you only needCookieThe creden can be assigned to the current user ):

If (determining logon conditions)

......

FormsAuthentication. SetAuthCookie (Credential name, supported across browsers)

If (string. IsNullOrEmpty (Request ["ReturnUrl"])

{

Response. Redirect ("default page ");

}

Response. Redirect (Request ["ReturnUrl"]);

Here is an explanation:

• "Credential name": it should be the unique non-Anonymous credential name of the User (preferably the Id or UserName in the MemberShip mentioned later, so that you can directly from the User. identity. name to obtain this Id for subsequent operations)
• "Cross-browser support": used to specify whether to use the same Cookie between different browser processes.
• ReturnUrl: a page path that does not allow anonymous users to access. When FormsAuthentication is used. after SetAuthCookie distributes creden to the current user, it determines whether the ReturnUrl is blank (the page is directly redirected to if it is not blank, otherwise a page is specified ).

Of course, if ReturnUrl is definitely not empty, you can do this directly:

FormsAuthentication. RedirectFromLoginPage (Credential name, cross-browser support ).

In addition to logon, "logout" (SignOut is also a very useful function). In fact, you can do this on your own page:FormsAuthentication. SignOut ();

 

(2)ASP. NETInLoginControls:

ASP. NET actually provides a ready-made Login control for you, so that you do not have to always customize the logon control. You can write the verification code in Login_Authenticate:

Protected void login=authenticate (object sender, AuthenticateEventArgs e)

{

// Judgment Condition

E. Authentication = true ;//Must be added, equivalentSetAuthCookieYou can obtain the Name in UserTextBox directly in User. Identity. Name.

Response. Redirect (.....);

}

Or you can directly specify the DestinationPageUrl attribute of Login1, so that once you log on successfully, it will automatically jump to the page specified by this attribute.

 

(3) ASP. NET logout control:

The logon page we usually see is: if an anonymous user accesses the logon page, a prompt box (enter the user name, password, and other information) should appear ), after a successful logon, the prompt box displays "Welcome XXX Logon", and a button under it allows you to log out. We can achieve this by dragging the control without writing any code:

In addition to the logon control, we also need three controls:LoginView, LoginStatus, and LoginName.

LoginView is not directly used. It contains two templates: AnoymousTemplate and LoggedTemplate (RoleGroupTemplate will be discussed later in the role section ). We usually place the Login control in AnoymousTemplate, put a LoginName (automatically display the name after logon) in the LoggedTemplate, and put a LoginStatus control (default LogOut status ), after a user clicks, the user becomes an anonymous user again.