asp.net security Certification (i): How to Use Form form certification

Asp.net| Security

Code write N long, always want to write something else. That's not, it says. In consolidating two projects, making single sign-on (single Sign on), it is also known as "sign-on". After consulting the relevant documents, finally realized, now take it out and share with you. Perhaps people will ask: "This is inconsistent with the title?" "Don't worry, before I write, I think about some of the problems I had when I was using Form authentication, and some of the techniques I used in using the process (it's also ^_^)." I played junior high school at that time, the language level is not very drop, the test often write, so the writing level is limited, but also please mass. Yes, I not only writing a limited level of programming ability is not very good, this article for everyone to learn to exchange, welcome the masses of labor carrying eggs, holding flowers to come to comment. Reproduced please indicate that the original creator is cold feather maple is also, not very grateful!

Nonsense also said almost, to the close, ASP.net security certification, a total of "Windows" "Form" "Passport" "None" four kinds of authentication mode. "Windows" and "none" do not have a protective effect and are not recommended; "Passport" I did not use, alas ... So I have to talk about "Form" certification. I intend to divide it into three parts:

The first part-how to achieve from certification;

The second part of the--form certification of actual combat use;

Part three--implementing single sign-on (Sign on)

The first part how to use Form form form authentication

One, a new test project

In order to better illustrate, it is necessary to create a new test project (for the moment "formtest" bar), contains three pages sufficient (Default.aspx, Login.aspx, userinfo.aspx). What? Someone will not create a new item, will not add pages? You asked me what to do? I think it's a good thing to do: drag it out, take it back, and learn from kindergarten ...

Ii. Modification of Web.config

1, double-click the project in the Web.config (no, can not find the play PP)

2, find the following text <authentication mode= "Windows"/> Change it to:

<authentication mode= "Forms" >
<forms loginurl= "Login.aspx" name= ". Aspxauth "></forms>
</authentication>

3, find <authorization> <allow users= "*"/></authorization> replaced

<authorization><deny users= "?" ></deny></authorization>

There's nothing to talk about here, just copy the past. However, some people will be mistaken, as follows:

<authentication mode= "Forms" >
<forms loginurl= "Login.aspx" name= ". APSX "></forms>
<deny users= "?" ></deny>
</authentication>

To ask who put <deny users= "?" ></deny> put in <authentication>, I would be honored to tell you that it was N years ago I:<authentication> and <authorization> are all in Auth letters begin with the end of ation, how similar; I thought they were on the same side.

Third, write. cs code--Login and exit

1, Login code:

A, the book introduced

private void Btn_login_click (object sender, System.EventArgs e)
{
if (this. txt_username.text== "Admin" && this. txt_password.text== "123456")
{
System.Web.Security.FormsAuthentication.RedirectFromLoginPage (this. Txt_username.text,false);
}
}

b, I found it for N long time.

private void Btn_login_click (object sender, System.EventArgs e)
{
if (this. txt_username.text== "Admin" && this. txt_password.text== "123456")
{
System.Web.Security.FormsAuthentication.SetAuthCookie (this. Txt_username.text,false);
Response.Redirect ("default.aspx");
}
}

Both of the above can be issued after the authentication of the Cookie, that is, through validation, the difference:

Method a) refers to the verification after the return of the request page, commonly known as "from where to play where to go." For example: The user does not log in directly in the IE address bar input http://localhost/FormTest/UserInfo.aspx, then the user will see is login.aspx? Returnurl=userinfo.aspx, enter username and password after successful login, the system will return the corresponding page according to the "ReturnUrl" value.

Method B) is two-step: After the verification of the direct release of cookies, jump page will be the programmer to specify, this method is used for default.aspx use of the framework structure of the system.

2. Exit Code:

private void Btn_logout_click (object sender, System.EventArgs e)
{
System.Web.Security.FormsAuthentication.SignOut ();
}

How to judge the verification or not and obtain the user information after verification

Sometimes, on the same page, you need to determine whether the user is logged in, and then render a different layout. Some people like to use the session to judge, I do not object to such practices, I just want to tell you that there is another way, and look at the following code:

if (User.Identity.IsAuthenticated)
{
You've passed the test, you know what to do?
}

User.Identity also has two properties AuthenticationType (authentication type) and name (user name), you should note that the Name property, The User.Identity.Name here will get, validated through (RedirectFromLoginPage or SetAuthCookie) when we bring in the first parameter this. Txt_username.text. This parameter is very important, related to all kinds of ... All kinds of circumstances, why this remark, and listen to let's ...