ASP. NET security authentication. There are four authentication modes: "Windows", "form", "Passport", and "NONE. "Windows" and "NONE" do not play a protection role and are not recommended. I have never used "Passport", alas ...... So I have to talk about "form" certification. I plan to divide it into three parts:
Part 1 -- How to Implement from authentication;
Part 2: Practical Application of form authentication;
Part 3: Single Sign on)
Part 1 how to use form Authentication
1. Create a test project
For better description, it is necessary to create a test project ("formtest" for the time being), which contains three pages (default. aspx, login. aspx, userinfo. aspx ). What? No one will create a project or add a page? What should I do? I think it's okay: drag it out, call it back, learn from kindergarten ......
2. modify web. config
1. Double-click Web. config in the project (No, cannot find pp)
2. Find the following text <Authentication mode = "Windows"/> and change it:
<Authentication mode = "forms">
<Forms loginurl = "login. aspx" name = ". aspxauth"> </Forms>
</Authentication>
3. Replace <authorization> <allow users = "*"/> </authorization>
<Authorization> <deny users = "? "> </Deny> </authorization>
There is nothing to say here, just copy it. However, some people may make a mistake as follows:
<Authentication mode = "forms">
<Forms loginurl = "login. aspx" name = ". apsx"> </Forms>
<Deny users = "? "> </Deny>
</Authentication>
If you want to ask who used <deny users = "? "> </Deny> put in <authentication>, I will be honored to tell you that it was me n years ago: <authentication> and <authorization> both start with the auth letter and end with the ation. Why? I think they are a group of English words that cannot be memorized ......
3. Write. CS code-Logon and exit
1. logon code:
A. Introduced in books
Private void btn_login_click (Object sender, system. eventargs E)
{
If (this. txt_username.text = "admin" & this. txt_password.text = "123456 ")
{
System. Web. Security. formsauthentication. redirectfromloginpage (this. txt_username.text, false );
}
}
B. I have been searching for N for a long time.
Private void btn_login_click (Object sender, system. eventargs E)
{
If (this. txt_username.text = "admin" & this. txt_password.text = "123456 ")
{
System. Web. Security. formsauthentication. setauthcookie (this. txt_username.text, false );
Response. Redirect ("default. aspx ");
}
}
The two types of cookies can be issued after verification, that is, they pass verification. difference:
Method A) returns the request page after verification, which is commonly known as "from where to where ". For example, if you enter http: // localhost/formtest/userinfo. aspx directly in the IE address bar before logging on, the user will see login. aspx? Returnurl = userinfo. aspx. After the user name and password are entered, the system returns the corresponding page based on the value of "returnurl ".
Method B) two steps are taken: after the verification is passed, the cookie is directly issued, and the jump page will be designated by the programmer. This method is mostly used in the system where default. aspx uses the framework structure.
2. Exit code:
Private void btn_logout_click (Object sender, system. eventargs E)
{
System. Web. Security. formsauthentication. signout ();
}
Iv. How to determine whether the verification is successful and obtain the verified user information
Sometimes, you need to determine whether the user has logged on to the same page and then display different la S. Some people like to use the session to judge, and I do not oppose this kind of practice. Here I just want to tell you there is another method and read the following code:
If (user. Identity. isauthenticated)
{
// You have passed the verification. Do you know what to do?
}