Asp.net| Security | control
first, the introduction
Listed with ASP.net 2.0 are several new security controls-they are located in the Tools login option performers (see Figure 1)-These controls greatly simplify the work of web developers. By using these new security controls, you can now perform tasks such as user login, registration, password changes, and so on, and the effort to do so is simply to drag and drop the appropriate controls onto your Web form. In this article, I'll show you how to use these new controls to implement user authentication.
First, let's explore the use of the LoginView, LoginStatus, and LoginName three controls. First, let's build a Web project using Visual Studio 2 Beta. Start the visual Studio IDE, and then click New Web Site from the File menu to create a new Web project and name the project "C:\SecurityControls."
On the Default.aspx Web form, drag and drop and join a LoginView control. The LoginView control is a container control-used to display different information depending on whether the user is logged on or not.
First, we populate the LoginView control with text, as shown in Figure 2. Then, drag the login control onto the LoginView control. The text you just entered will be displayed before the user has been authenticated (anonymous). The login control displays a link to allow the user to be redirected to another page to log on to the application.
On the Smart Tasks menu of the LoginView control, change the view to "LoggedInTemplate" (see Figure 3).
Then change the view to enter the text shown in Figure 4 into the LoginView control. Once the user is authenticated, the text is displayed. Then, drag and drop the LoginName control into the LoginView control. The LoginName control displays the user name that is used to log on to the application.
Fig. 1. The figure shows the new security control in ASP.net 2.0. Figure 2 Figure shows the process of populating the LoginView control.
Figure 3 You can change the display form of the LoginView control. Figure 4. The text is displayed after the user is authenticated.
Ii. using the login control
Now let's add a new Web Form to the project (right-click the project name in Solution Explorer and select "Add New Item ...") and name it login.aspx. Your application will use this form to allow users to log in to the application.
Note that in ASP.net 2.0, the default login page is named Login.aspx (which is added by default to ASP.net 2.0 and can be validated by viewing machine.config.comments).
However, if you do want to use a different name for your login page, you can modify the Web.config file by adding the following lines. You can change the authentication mode-change from the default login.aspx to authenticate.aspx:
<system.web>
<authentication mode= "Forms"
<forms name= ". Aspxauth "
Loginurl= "Authenticate.aspx"
protection= "Validation" timeout= "999999"/"
</authentication>
...
Figure 5 Application AutoFormat: This is a way to apply formatting to the login control.
Figure 6. Add a pattern: This is the login control style after applying color mode.
Drag the login control onto the login.aspx. You can apply formatting to the login control to make it look more specialized. Click the "Smart" tab of the Login control and select the "Auto Format ..." link (see Figure 5).
After you select color mode, the login control should look like Figure 6.
By default, ASP.net 2.0 uses Windows Authentication-if you are not flexible enough for Internet users. Therefore, you should change the authentication mode from the default Windows mode to the form authentication method.
Add a Web.config file to your project (right-click on the project name, in Solution Explorer and select "Add New Item ....") , select Web Configuration File from the available list options.
In web.config, change from Windows Authentication mode to form authentication by adding the following lines of code. You use form authentication so that you can add users to your Web site without having to create new user accounts under Windows.
<system.web>
<authentication mode= "Forms"/>
...
Third, add a new user to your application
Before you continue to test the application, you need to create a new user for the application. You can use the ASP.net web Site Administration Tool (WAT) to add a new user to your application. To activate Wat, select "Website" and select "ASP.net Configuration" (see Figure 7).
Figure 7. Web Site Administration: This figure shows how to activate Wat
The wat will be displayed in a new Web page. Click on the "Security" link to jump to the "Security" tab (see Figure 8).
Figure 8. WAT: This shows the WAT user interface.
This "Security" tab allows you to perform tasks such as creating and deleting users and creating roles and access rules for your application. Click the "Create User" link to add a new user to your application (see Figure 9).
Figure 9. Wat security: Selecting the "Security" tab in Wat allows you to manage safety features
Provide the necessary information for the new user account (see Figure 10). Note that the password here must be a combination of numbers, letters, and special characters. Make sure that you provide at least 7 characters for the password. Click "Create User" to add a new user.
Figure 10. Add User: The figure shows the Wat security screen, where you can add a new user account.
Now you are ready to test the application. Select Default.aspx in Solution Explorer and press the F5 key. Click the "Login" link to log in to the application and enter the account information. When you successfully log on to the application, the "login" link changes to "Logout". Figure 11 shows the sequence of these events.
Figure 11. Login: These three screens show the complete process when the user logs on to the application.
Iv. Creating new users
You need to set the Continuedestinationpageurl property of the CreateUserWizard control so that when the user clicks the "Continue" button, it can be redirected to another page, such as a welcome page.
In addition to creating user accounts outdoors for users, you can also allow users to create new accounts for themselves. This is useful in some places-to access your application, for example in a discussion forum, where you allow users to create free accounts.
To allow users to create new accounts, you can use the CreateUserWizard control. Drag the CreateUserWizard control to the default.aspx and apply color mode. The control should look as shown in Figure 12.
Figure 12. CreateUserWizard control: This control lets users create their own new user accounts.
To test the application, you can press the key F5. Now you can create a new user account yourself (see Figure 13). Provide the necessary information and click "Create User".
v. Storage location of user information
So far, you've seen how to use the Wat and CreateUserWizard controls to create users. You may want to know where this information is stored. If you now view Solution Explorer and refresh the App_Data folder (right click on it and choose to refresh the folder), you will see an item named Aspnetdb.mdf (see Figure 13).
Figure 13 You will find the Aspnetdb.mdf database file here in Solution Explorer.
Figure 14. Automatically created User: The figure shows a user creating a new user account.
After the user is created, you will see the screen shown in Figure 15.
Figure 14. Create an account: Users will see this screen after a new account is created.
This aspnetdb.mdf is a SQL Server 2005 Express database-By default, ASP.net 2.0 uses it to store application-related data such as user accounts, configurations, and so on. To analyze the database, double-click it and you will see that its contents are displayed in Database Explorer (see Figure 16). Specifically, the aspnet_membership and Aspnet_users tables will be used to store the user account information you created earlier. To view the contents of the table, simply right-click the form name and select Show Table Data.
Figure 16. Database Aspnetdb.mdf: You can explore the Aspnetdb.mdf database in the DB Explorer grid.
A good feature of ASP.net 2.0 is that you don't have to create a custom database to store your users ' information. And you don't even have to worry about hashing users ' passwords to store them securely. ASP.net 2.0 automatically does this thing for you.
The working principle of the member supplier model
ASP.net 2.0 uses a new security model called the membership provider model. This model allows developers to choose how to add security features to their applications to allow maximum flexibility and scalability.
As an example of this provider model extensibility, consider the new security (login) controls that you have seen in this article. These controls, APIs, and the providers that make up the new model are displayed in the following illustration.
Figure member Supplier Model: This diagram shows the relationship between the controls discussed in this article and the layers of the member provider model.
At the top level are various Web server controls, such as the login, LoginStatus, and LoginView controls. Under the control, api-them to perform the tasks required for them to complete. The Membership class handles tasks such as adding and deleting users, and the MembershipUser class is responsible for managing user information such as passwords, password issues, and so on. These affiliate APIs use the member provider to save or carry out persistent storage. Visual Studio 2005 publishes-sql Server membership Provider with a default member provider. The role of the member provider is to act as a bridge between the membership API and the data store so that information can be stored continuously without the developer writing low-level code to access the data.
If the providers offered by Microsoft do not meet your needs, you can either expand them or write your own. For example, if you want to use an XML document instead of a relational database (such as SQL Server) to save membership information for your site, you can write your own provider to implement a conversation with an XML file.
vii. Recovery of lost passwords
recovery/removal of lost passwords is you-a common task that needs to be performed as an administrator. The PasswordRecovery control allows the user to perform this common task on its own-by automatically retrieving the password and sending it to the user by e-mail.
Password recovery is important only if you store passwords in plain text instead of storing hashed values for passwords. However, by default, the settings in the Machine.config file specify all passwords and are hashed before they are stored in the member database. Machine.config by default, password recovery is not allowed.
To store user passwords in plain text, you can add the following entries to the file Web.config:
...
<system.web>
<membership
Defaultprovider= "SQLProvider"
userisonlinetimewindow= "15" >
<providers>
<clear/>
<add
Name= "SQLProvider"
Type= "System.Web.Security.SqlMembershipProvider"
Connectionstringname= "LocalSqlServer"
Applicationname= "Securitycontrols"
Enablepasswordretrieval= "true"
Enablepasswordreset= "true"
Requiresquestionandanswer= "true"
Requiresuniqueemail= "true"
passwordformat= "Clear"/>
</providers>
</membership>
...
Specifically, you have now cleared all the member providers and then added a new sqlmembershipprovider. Note that in order to allow password retrieval, you need to set the enablePasswordRetrieval (true) and passwordformat (purge) attributes.
If you set the passwordformat for hashing, then you must set the enablePasswordReset to False.
Now drag the PasswordRecovery control to the Default.aspx, and then apply the color mode. The PasswordRecovery control now looks like Figure 17.
Figure 17. PasswordRecovery control. By using this control, users can recover their forgotten passwords.
In the Properties window of the PasswordRecovery control, set the "from" and "Subject" fields under the MailDefinition property, as shown in Figure 18.
Figure 18. PasswordRecovery Control Properties: How to Configure your PasswordRecovery control in the property browser
In addition, you need to configure the SMTP service on your machine so that you can use the PasswordRecovery control to send an e-mail message. To configure the SMTP service on your machine, start Wat, select the application, and then select Configure SMTP e-mail settings.
To test the application, press the F5 key. You will be prompted to enter your username and then be your security issue. If the answer to the security question is correct, the password will be emailed to you, otherwise the page will show you an error message, as shown in Figure 19.
Figure 19. Recover a lost Password: The user will see this screen sequence while recovering a lost password
For security reasons, sending a password to the user via e-mail is not a good one. Therefore, you really need to carefully consider using this option.
Eight, change the password
In addition to recovering lost passwords, you also need to allow users to change their passwords. In asp.net 2.0, you can accomplish this task by using the ChangePassword control.
Since a user can change their password only after logging in, you will now create a new folder in your application, accessed only by authenticated users.
You can add a new folder to your application-by right-clicking the project name in Solution Explorer and selecting "Add folder" and selecting "Regular folder". The named folder is members. Now, add a new form (right-click "Members" and select "Add New Item ...") on the folder. Name the new Web form as changepassword.aspx (see Figure 20).
Figure 20. This shows the Solution Explorer after adding a folder to the project.
To restrict access to member folders, add the following <location> elements to the web.config.
...
</system.web>
<location path= "Members"
<system.web>
<authorization>
<deny users= "?"/>
</authorization>
</system.web>
</location>
</configuration>
Essentially, the pages in the Members folder can only be authenticated users (all anonymous users (?) will be accessed by denied access.
Drag and drop the ChangePassword control over the changepassword.aspx and apply color mode (see Figure 21).
Figure 21. ChangePassword CONTROLS: Use this control to make it easy for users to change their passwords.
To test the application, select the Changepassword.aspx file in the Member folder of Solution Explorer and press the F5 key. You will first be redirected to the Login.aspx page (for authentication) and once authenticated, the Changepassword.aspx page will be loaded. Now, you can change your password (see Figure 22).
Figure 22. Change Password: Users may see this screen sequence when they change their password with the ChangePassword control.