Master. Simple form identification in net

In the ASP.net security terminology, there are two very important words: Authentication and authentication. The authentication mechanism helps ASP.net distinguish individual users. Once executed, the authentication mechanism runs and determines if you can allow access to the Web page you want to visit.

Of the three types of asp.net authentication, there are two technologies that are dependent on the Web-page program:

Windows authentication is integrated into the authentication mechanism of the operating system (Windows NT/2000/XP);
Password authentication needs to be associated with a Microsoft password server.
You can define a third type of authentication mechanism, that is, form identification. Form identification is closely associated with the ASP.net program. In this article we mainly talk about the form of the identification of content.

of simplicity

One of the important advantages of form identification is its simplicity. Because of simplicity, form identification requires only you to follow these steps:

1. Edit the contents of Web.config <authentication> and <authorization>;

2. Generate a standard SAPX Web page for users to visit;

3. Create a user name and password input box, and a submit form of the Ammonium button registration page;

4. Click the Submit button in the form, and then invoke the authentication permission and RedirectFromLoginPage method.

Web.config

The <authentication> elements in Web.config allow you to use form identification in asp.net. One of the sub elements <forms> allows you to specify which pages to register. In the <forms> element, you can selectively add a <credentials> element, which assigns a username and password directly, as shown in table A. It is worth mentioning that I now need to explain the simple establishment usage of form authentication, which means that I have to save a lot of username and password in web.config, which is not a good thing for the network.

For user authentication in the program, you must take certain measures to prohibit the access of illegal users. This is also the function specified by the <authorization> element. All you need to do is set the user attribute in the <deny> element to "?," as shown in Table A.

Now, if someone wants to access an ASPX Web page that is managed by web.config, ASP.net will perform a user authentication and decide whether to pass accreditation.

A standard web page

In order to detect whether your authentication environment really works, you should create at least one ASPX Web page. The example in table B establishes a Web page that simply describes the authenticated user name, which is proof that the identification has been working properly. If you want to detect, you can access this page directly in your browser. If your authentication system works, you will be able to enter the following registration page to be described.

Register (Login) page

The simplest registration page contains only a User Name text entry box, a Password text entry box, and a button, as shown in Table C. You must write a button in your code to trigger the event to invoke the function that handles the authentication.

Table D shows the procedure for triggering events on a button. It takes the FormsAuthentication class in System.Web.Security, the first function is invoked, and then the user name and password are passed. NET uses the elements in the Web.config file to compare the user name and password entered. If the username and password are correct, the RedirectFromLoginPage function is invoked.

The parameters in the RedirectFromLoginPage function contain the username and a Boolean value that represents whether the password for the input user name is correct.

After completing these steps, if you want to try the browser to access these standard pages correctly, you can use the registration page directly. Unless you can pass the identification correctly, you can only stay on the registration page forever.

Improvement measures

As I mentioned, you'd better not keep your username and password permanently in the Web.config file. This is because you can't dynamically accept information from new users, and when you want to manually update web.config, your program restarts, which is likely to produce a lot of anomalies.

Therefore, you should not use a stand-alone file or database to save the user name and password. Otherwise, once you do this, you will not be able to call the FormsAuthentication.Authenticate function.

You can also encrypt the password further to avoid someone with ulterior motives getting the username and password list. The HashPasswordForStoringInConfigFile function in the FormsAuthentication class can meet this requirement.

Fast and safe.

With form authentication, you can create a simple and secure Web program within minutes without adding code to the program's ASPX file. It's a quick and safe way to do it.