asp.net
Brief introduction
The ASP developer always solves the authentication problem on its own, but ASP.net already supports the built-in authentication features. In this article, we'll explain how the two have changed in terms of authentication, how it's safer to use FormsAuthentication with less code.
In ASP programming, the workload of an integrated security protocol (for example, Windows NT LAN Manager [NTLM] 's asking/answering authentication protocol), a basic security protocol (meaning plain text), or a security protocol created by itself, is staggering. Form authentication enables developers to store authentication information such as user names, passwords, and so on in Web.config files, and of course, you can use your own original methods, such as databases, XML files, or text files. The biggest advantage of using table authentication is that it allows us to no longer have to programmatically implement state tracking, which is done by asp.net.
Background knowledge of form certification
Form authentication using cookies enables applications to track users during user visits, ASP. NET handles table authentication in a way that is very similar to how it is used in ASP. When a user logs on through a form, a cookie is created to track the activity during the user's visit to the site. If a user requests a secure Web page, but does not log on, the user is booted to the login page. Once the user is authenticated, it is directed to the original requested page.
Standard form authentication settings
- Pages used: Default.aspx, Login.aspx, web.config.
- In the standard method of tabular authentication, all user information is stored in web.config.
- Create a folder with the name standardforms under the root directory of the Internet server.
- Make this folder an application of the Internet Service Manager.
Web.config overview
The Web.config file contains all the configuration settings for the ASP.net application, with the idea that many developers can control the Web application together, rather than being controlled by a system administrator. Of course, there are a lot of options in Web.config, but today we only introduce the options related to table authentication.
Web.config code that uses standard or trust methods
Certification
Attribute description Name: The name of the cookie used for authentication. Tip: If multiple applications want to use FormsAuthentication on the same computer, it's best to use a different name. Path: The path to the cookie. The default "/" Value avoids the case error in the path because the browser is case sensitive on the return cookie. Loginurl: The URL to which the unauthenticated user is booted. Protection: A method used to protect cookie data. The default and recommended value is "All", which is validated and encrypted. The time (in minutes) before the Timeout:cookie ends.
Certificate
Attribute Description Password Format: The format in which passwords are stored, and the available values include clear, SHA1, and MD5. SHA1 and MD5 are the more secure hashing algorithms that enable passwords to be stored in Web.config files. User: Used to store user names and passwords. We can hash the password by running the HashPasswordForStoringInConfigFile function, which we'll demonstrate later.
Authorized
Attribute Description Reject | Allow: This section denies or allows users to access the site.? represents anonymous or unregistered users, * represents all users. In addition, it allows us to grant a user permission to allow or deny access to another user.
Web.config Code
<configuration>
<system.web>
<customerrors mode= "Off"/>
<authentication mode= "Forms" >
<forms name= "Appnameauth" path= "/" Loginurl= "Login.aspx"
protection= "All" timeout= ">"
<credentials passwordformat= "Clear" >
<user name= "Jeff" password= "Test"/>
<user name= "Mike" password= "test"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
</system.web>
</configuration>
Web.config details
In the web.config above, we have several options configured.
The authentication
Configuration section's Mode property sets the authentication mode for the table, and in the section we specify the Name property as "Appnameauth". You may want to change the name of the cookie to "Hrwebauth". The
needs to keep in mind that if you have more than one application on your computer, it is recommended that you name one for each cookie.
Next, we set the Path property to the root of the application and set the Loginurl property to a Web page with the name loginurl.aspx on the local machine, and of course we can also use https:// secured.sumnurv.com such a URL, set the protection property to the recommended "all", which means that the cookie is not only encrypted but also validated. The
confirms that the algorithm is from the machinekey element in Machine.config, and data validation helps ensure that the cookie's data is not tampered with during transmission. The
Timeout property refers to the time in minutes before a cookie terminates and the user logs on again. In the Credentials section, we add two users and their passwords, and FormsAuthentication will use them to authenticate the user.
Licensing
In the authorization section, we hope that no unauthorized users will be able to access the application. “?” Represents an anonymous user, so we set a deny flag for all anonymous users.
login.aspx Overview
The authentication logic for all users is done here. If you want to validate a user's certificate based on Web.config, XML, or text files, or a database, then the validation work is done here. The following example verifies the user's certificate according to Web.config.
login.aspx Code
/forms>
<% @Page language= "VB"%>
<% @Import namespace= "System.Web.Security"%>
<script language= "VB" runat= "Server" >
Sub ProcessLogin (Objsender as Object, Objargs as EventArgs)
If formsauthentication.authenticate (Txtuser.text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage (Txtuser.text, chkpersistlogin.checked)
Else
errormessage.innerhtml = "<b>something went wrong...</b> please
Re-enter your credentials ... "
End If
End Sub
</script>
<title>standard Forms Authentication Login form</title>
<body bgcolor= "#FFFFFF" text= "#000000" >
<form runat= "Server" >
<table width= "border=" 0 "cellspacing=" 0 "
cellpadding= "0" >
<tr>
<TD width= ">username": </td>
<TD width= "Ten" > </td>
<td><asp:textbox id= "Txtuser" width= "" runat= "Server"/></td>
</tr>
<tr>
<td>password: </td>
<TD width= "Ten" > </td>
<td><asp:textbox id= "Txtpassword" width= "textmode=" Password "
runat= "Server"/></td>
</tr>
<tr>
<tr>
<td></td>
<TD width= "Ten" > </td>
<td><asp:checkbox id= "Chkpersistlogin" runat= "Server"
/>remember my Credentials
</td>
</tr>
<tr>
<td> </td>
<TD width= "Ten" > </td>
<td><asp:button id= "Cmdlogin"
text= "Login" runat= "Server"/></td>
</tr>
</table>
<div id= "errormessage" runat= "Server"/>
</form>
</body>
A detailed explanation of Login.aspx
Because of the need for authentication, the System.Web.Security namespace is referenced in the above code, and FormsAuthentication is a class in the System.Web.Security name space. In this example, we used a text box with a username and password, a password input field, and a check box to make it easy for users to use a permanent cookie set. The Submit button has an OnClick event that executes a subroutine named ProcessLogin. Inside the ProcessLogin, we performed the Authenticate method of the FormsAuthentication class, with the username and password being two parameters. This method checks for trust-like tokens in Web.config files based on user names and parameters. If they match, we execute the RedirectFromLoginPage method, which writes a cookie to the user's machine, tracks the user's behavior, and ensures that the user is authenticated, and if it does not, an error occurs and notifies the user.
Default.aspx overview
This is the page that the user requests or the strategy accesses. In this case, we will display the authenticated user and the authentication type.
Default.aspx Code
<% @Page language= "VB"%>
<% @Import namespace= "System.Web.Security"%>
<script language= "VB" runat= "Server" >
Sub SignOut (Objsender as Object, Objargs as EventArgs)
Delete the users auth cookies and sign out
FormsAuthentication.SignOut ()
Redirect the user to their referring page
Response.Redirect (Request.UrlReferrer.ToString ())
End Sub
Sub Page_Load ()
Verify authentication
If User.Identity.IsAuthenticated Then
Display credential information
displaycredentials.innerhtml = "Current User: <b>" & User.Identity.Name
& "</b>" & _
"Authentication Used: <b>" & User.Identity.AuthenticationType
& "</b>"
Else
Display Error Message
displaycredentials.innerhtml = "Sorry, have not been authenticated."
End If
End Sub
</script>
<title>forms authentication</title>
<body bgcolor= "#FFFFFF" text= "#000000" >
<span class= "Header" >forms Based authentication using standard
Method</span>
<div id= "displaycredentials" runat= "Server"/>
<form runat= "Server" >
<asp:button id= "Cmdsignout" text= "Sign Out" runat= "Server"
/>
</form>
</body>
Because of the need for some of these methods and properties, here I used the System.Web.Security namespace again. The Space page contains a simple div element and an INPUT element that runs a subroutine that deletes the user's cookie. In the Page_Load event, we use the User.Identity.IsAuthenticated property to check whether the user has been authenticated, and the Boolean value returned indicates whether the user passed the authentication. If the user passes the authentication, we want to return the user's name and the authentication method used. Using the User.Identity.Name property, we can get the user's name, Identity.authenticationtype return the authentication method used. We also used a signout process that allows users to leave the site and remove cookies from the user's computer, and it can even delete some permanent cookies.
Conclusion
Through this article, I hope that the broad masses of readers will be able to form certification and how to use it has a basic understanding of the asp.net in the security of the ASP made improvements.