for Web sites that use Forms authentication, users log on to the Web site by accessing the login page and entering their credentials. The system compares the credentials entered by the user with the content in the database. If the credentials are valid, the user is granted a form authentication ticket, which is a security token that indicates the identity and authenticity of the visitor.
The example in this article shows how the validation work is delegated to the configured membership provider.
One, database preparation and configuration Web. configIf the database was created by Aspnet_regsql (running Aspnet_ressql.exe automatically generates 11 databases that start with aspnet_), You only need to modify the connection string in Web. config, and if you want to store your own user data, you need to write your own membership provider. (the default type of provider is SQL Express, which needs to be overloaded with providername)
<membership> <providers> <remove name= "AspNetSqlMembershipProvider"/> <add Name = "AspNetSqlMembershipProvider" type= "System.Web.Security.SqlMembershipProvider, system.web, version=2.0.0.0, Culture=neutral, publickeytoken=b03f5f7f11d50a3a "connectionstringname=" pclcomplaintsconnectionstring " Enablepasswordretrieval= "false" enablepasswordreset= "true" requiresquestionandanswer= "false" applicationname= "/" Requiresuniqueemail= "false" Minrequiredpasswordlength= "4" minrequirednonalphanumericcharacters= "0" PasswordFormat = "Hashed" maxinvalidpasswordattempts= "passwordattemptwindow=" "passwordstrengthregularexpression=" "/> </providers> </membership>
enablePasswordReset is set to true. Indicates that membership is allowed to automatically reset the password.
requiresQuestionAndAnswer is set to false.//control lock does not enter the original password reset password.
maxinvalidpasswordattempts– Specifies the number of invalid password attempts that are allowed to be made by a user over a period of time, and the corresponding account is locked out more than that number. The default value is 5.
passwordAttemptWindow//Specify a time period in minutes and the account will be locked if the specified number of invalid login attempts is reached within that time. The default value is 10.
Two, membership verification principle and necessary explanationSqlMembershipProvider uses the Aspnet_membership_getpasswordwithformat stored procedure to obtain the password of the specified user, thereby validating the credentials provided by the user. We remember, SqlMembershipProvider. Save the user password in one of these three formats: Clear text, encrypt, hash (hashed). The Aspnet_membership_getpasswordwithformat stored procedure returns the password in its original format. For encrypted and hashed passwords, SqlMembershipProvider converts the password value passed into the ValidateUser method to its corresponding encryption or hash state, and then compares it to the return value of the database. If the password saved in the database matches the user's input and is formatted with the password, the user credentials are valid.
The Membership class relies on the membership provider to communicate with the data source. The. NET Framework includes a sqlmembershipprovider (storing user information in a Microsoft SQL Server database) and a ActiveDirectoryMembershipProvider (allows user information to be stored on Active Directory or Active Directory Application Mode (ADAM) servers). You can also implement a custom membership provider to communicate with other similar data sources that can be used by the membership class. The custom membership provider inherits the MembershipProvider abstract class. For more information, see Implementing a membership provider.
third, establish login page to verify loginOK, probably the logic has been described, now, we first build a login page.
The ASP. NET login controls (login, LoginView, LoginStatus, LoginName, and PasswordRecovery) actually encapsulate the membership class, providing a convenient user authentication mechanism.
The login control automatically validates user-supplied credentials against the user store of the membership framework.
Now build a default.aspx empty form page, and then pull in the login control.
The login control also has a property named FailureText that can be used to set its own login failure prompt information. Otherwise, according to membership embedded hint "Your login attempt is not successful. Please try again ".
If you want to customize the response code, there are two ways to add a handle to the Login1_authenticate event.
protected void Login1_authenticate (object sender, AuthenticateEventArgs e) {//your code}
In addition, the following button click events are triggered to enable the user store to trigger the membership framework to authenticate the user;
protected void Loginbutton_click (object sender, EventArgs e) { //Validate the user against the membership framework US ER store if (Membership.ValidateUser (Username.text, Password.text)) { //Log the user into the site FormsAuthentication.RedirectFromLoginPage (Username.text, rememberme.checked); } If we reach here, the user ' s credentials were invalid invalidcredentialsmessage.visible = true;}
The code is fairly straightforward. The code first calls the Membership.ValidateUser method, passing in the supplied user name and password to the method: If the method returns True, the user is logged in to the Web site through the RedirectFromLoginPage method of the FormsAuthentication class. (as described in the Forms Authentication Overview tutorial, FormsAuthentication.RedirectFromLoginPage creates a form authentication ticket, and then redirects the user to the appropriate page.) However, if the ticket is invalid, a invalidcredentialsmessage tag is displayed informing the user that the user name or password entered is incorrect
User credentials are verified through membership user storage for member control
