Simple forms authentication

From: http://www.cnblogs.com/wayne-ivan/archive/2007/12/19/1005329.html

The example in this topic demonstrates a simple implementation of ASP. NET Forms authentication. This example explains how to use forms authentication to allow users to log on to ASP. NET applications.Program.

Note:

One convenient way to use forms authentication is to use ASP. NET membership and ASP. NET logon controls. ASP. NET Membership allows you to store and manage user information, and includes authentication methods for users. ASP. NET logon controls use ASP. NET And encapsulate the logic required to prompt the user to enter creden。, verify the user, recover or replace the password. In fact, ASP. NET membership and ASP. NET logon controls are Forms authentication provides an abstraction layer to replace most or even all of the work that is typically required to use forms authentication. For more information, see overview of using membership management users and ASP. NET logon controls.

In this example, the user requests a protected resource named default. aspx.
. Only one user can access this protected resource: jchen@contoso.com with its password "37yj * 99p ". The user name and password are hard-coded
Logon. aspx file. This example requires three files: the Web. config file, the page named logon. aspx, and the page named
Default. aspx page. These files are located in the application root directory.

Configure the application to use forms authentication

2. Open the Web. config file in the root directory of the application.

4. If the application root folder does not contain the Web. config file, create a text file named Web. config and add the following elements to it:

   Copy code

   <? XML version = "1.0"?>
   <Configuration xmlns = "http://schemas.microsoft.com/.NetConfiguration/v2.0">
   <System. Web>
   
   </System. Web>
   </Configuration>

6. InSystem. WebElement, createAuthenticationAndModeSet propertyForms, As shown in the following example:

   Copy code

   <System. Web>
   <Authentication mode = "forms">
   </Authentication>
   </System. Web>

8. In the authentication element, create a forms element and set the following attributes:

   • loginurl is set to "Logon. aspx ". Logon. aspx is the URL used by ASP. NET to redirect requests without an authentication cookie containing the request content.

   • name is set to ". aspxformsauth ". This is the suffix set for the cookie name that contains the authentication ticket.

   copy the Code

10. In the system. Web element, create a authorization element.

    copy the Code

12. InAuthorizationElement, createDenyAndUsersSet the property to "?". This indicates that the user who fails identity authentication will be rejected (by "?" To access resources in the application.

    Copy code

    <System. Web>
    <Authentication mode = "forms">
    <Forms loginurl = "Logon. aspx" name = ". aspxformsauth">
    </Forms>
    </Authentication>
    <Authorization>
    <Deny users = "? "/>
    </Authorization>
    </System. Web>

14. Save and close the Web. config file.

Create logon page

When a user requests any page from the website, if they have not passed authentication before, they will be redirected to the page named logon. aspx. You have previously specified the file name in the web. config file.

The logon. ASPX page collects user creden。 (email addresses and passwords) and authenticates them. If the user passes authentication, the logon page redirects the user to the page they originally requested. In this example, valid creden are hardcoded to the page.Code.

Security considerations
This example contains a text box used to accept user input, which is a potential security threat. By default, ASP. NET web pages verify that user input does not include scripts or HTML elements. For more information, see script intrusion overview.

Create logon page

2. Create an ASP. NET page named logon. aspx in the application root folder.

3. Copy the following tag and code to the page:

   Copy code in Visual Basic

   <% @ Page Language = "VB" %>
   <% @ Import Namespace = "System. Web. Security" %>
   
   <SCRIPT runat = "Server" >
    Sub Logon_click (Byval Sender As   Object , Byval E As Eventargs)
    If (Useremail. Text = Jchen@contoso.com" ) And _
   (Userpass. Text = "37yj * 99 Ps" )) Then 
   Formsauthentication. redirectfromloginpage _
   (Useremail. Text, persist. Checked)
   Else 
   MSG. Text = "Invalid credentials. Please try again ." 
    End   If 
    End   Sub 
   </SCRIPT>
   
   <HTML>
   <Head id = "Head1" Runat = "Server" >
   <Title> Forms authentication-login </title>
   </Head>
   <Body>
   <Form ID ="Form1" Runat = "Server" >
   <H3>
   Logon page <Table>
   <Tr>
   <TD>
   Email address: </TD>
   <TD>
   <Asp: textbox id = "Useremail" Runat = "Server" /> </TD>
   <TD>
   <Asp: requiredfieldvalidator id = "Requiredfieldvalidator1"  
   Controltovalidate ="Useremail" 
   Display = "Dynamic"  
   Errormessage = "Cannot be empty ."  
   Runat = "Server" />
   </TD>
   </Tr>
   <Tr>
   <TD>
   Password: </TD>
   <TD>
   <Asp: textbox id = "Userpass" Textmode = "Password"  
   Runat ="Server" />
   </TD>
   <TD>
   <Asp: requiredfieldvalidator id = "Requiredfieldvalidator2"  
   Controltovalidate = "Userpass" 
   Errormessage = "Cannot be empty ."  
   Runat = "Server" />
   </TD>
   </Tr>
   <Tr>
   <TD>
   Remember Me ? </TD>
   <TD>
   <Asp: checkbox id = "Persist" Runat = "Server" /> </TD>
   </Tr>
   </Table>
   <Asp: button id = "Submit1" Onclick = "Logon_click" TEXT = "Log on"   
   Runat = "Server" />
   <P>
   <Asp: Label id = "MSG" Forecolor ="Red" Runat = "Server" />
   </P>
   </Form>
   </Body>
   </Html>
   

   C # copy code

   <% @ Page Language = "C #" %>
   <% @ Import namespace = "System. Web. Security" %>
   
   <SCRIPT runat = "Server" >
    Void Logon_click (Object sender, eventargs E)
   {
    If (Useremail. Text = Jchen@contoso.com" )&&
   (Userpass. Text = "37yj * 99 Ps" ))
   {
   Formsauthentication. redirectfromloginpage
   (Useremail. Text, persist. Checked );
   }
    Else 
   {
   MSG. Text = "Invalid credentials. PleaseTryAgain ." ;
   }
   }
   </SCRIPT>
   <HTML>
   <Head id = "Head1" Runat = "Server" >
   <Title> Forms authentication-login </title>
   </Head>
   <Body>
   <Form ID = "Form1" Runat = "Server" >
   <H3>
   Logon page <Table>
   <Tr>
   <TD>
   Email address: </TD>
   <TD>
   <Asp: textbox id = "Useremail" Runat = "Server" /> </TD>
   <TD>
   <Asp: requiredfieldvalidator id = "Requiredfieldvalidator1"  
   Controltovalidate = "Useremail" 
   Display = "Dynamic"  
   Errormessage = "Cannot be empty ."  
   Runat = "Server" />
   </TD>
   </Tr>
   <Tr>
   <TD>
   Password: </TD>
   <TD>
   <Asp: textbox id = "Userpass" Textmode = "Password"  
   Runat = "Server" />
   </TD>
   <TD>
   <Asp: requiredfieldvalidator id = "Requiredfieldvalidator2"  
   Controltovalidate = "Userpass" 
   Errormessage ="Cannot be empty ."  
   Runat = "Server" />
   </TD>
   </Tr>
   <Tr>
   <TD>
   Remember me? </TD>
   <TD>
   <Asp: checkbox id = "Persist" Runat = "Server" /> </TD>
   </Tr>
   </Table>
   <Asp: button id = "Submit1" Onclick ="Logon_click" TEXT = "Log on"  
   Runat = "Server" />
   <P>
   <Asp: Label id = "MSG" Forecolor = "Red" Runat = "Server" />
   </P>
   </Form>
   </Body>
   </Html>
   

   This page contains the ASP. NET Server Control used to collect user information and a check box. When a user clicks this check box, their login creden。 are saved. The click handler of the "Log on" button contains the code that checks the user's email address and password against the hardcoded value. (This password is a strong password that contains all kinds of non-letter characters and must be at least eight characters long .) If the user's creden are correct, the code will call the redirectfromloginpage method of the formsauthentication class and pass the user name and a Boolean value from the check box. This value indicates whether to save the authentication ticket as a cookie. This method redirects the user to the page originally requested. If the user's creden do not match, an error message is displayed. Please note that this page will import includeFormsauthenticationClass System. Web. Security namespace.

Create lifecycle page

In this example, you will create an ASP. NET page in the application root folder. Because you specify in the configuration file to deny access to applications by all unauthenticated users
ASP. NET Resources (including. aspx files, but not static files, such as HTML
Files or multimedia files including images, music, etc.), so when the user requests this page, Forms
Authentication checks the user's creden。 and redirects the user to the logon page when necessary. The page you created will also allow users to log out to clear their saved authentication tickets (cookies ).

Create lifecycle page

2. Create an ASP. NET page named default. aspx in the application root folder.

3. Copy the following tag and code to the page:

   Copy code in Visual Basic

   <% @ Page Language = "VB" %>
   <HTML>
   <Head>
   <Title> Forms authentication- Default Page </title>
   </Head>
   
   <SCRIPT runat = "Server" >
    Sub Page_load ( Byval SRC As   Object , Byval E As Eventargs)
   Welcome. Text = "Hello ," & Context. User. Identity. Name
    End   Sub 
   
    Sub Signout_click ( Byval Sender As   Object , Byval E As Eventargs)
   Formsauthentication. signout ()
   Response. Redirect ( "Logon. aspx" )
    End   Sub 
   </SCRIPT>
   
   <Body>
   <H3>
   Using Forms authentication <Asp: Label id = "Welcome" Runat = "Server" />
   <Form ID = "Form1" Runat = "Server" >
   <Asp: button id = "Submit1" Onclick = "Signout_click"  
   TEXT = "Sign out" Runat = "Server" /> <P>
   </Form>
   </Body>
   </Html>
   

   C # copy code

   <% @ Page Language = "C #" %>
   <HTML>
   <Head>
   <Title> Forms authentication-default page </title>
   </Head>
   
   <SCRIPT runat = "Server" >
    Void Page_load (Object sender, eventargs E)
   {
   Welcome. Text ="Hello ," + Context. User. Identity. Name;
   }
   
    Void Signout_click (Object sender, eventargs E)
   {
   Formsauthentication. signout ();
   Response. Redirect ( "Logon. aspx" );
   }
   </SCRIPT>
   
   <Body>
   <H3>
   Using Forms authentication <Asp: Label id = "Welcome" Runat = "Server" />
   <Form ID = "Form1" Runat = "Server" >
   <Asp: button id = "Submit1" Onclick = "Signout_click"  
   TEXT = "Sign out" Runat = "Server" /> <P>
   </Form>
   </Body>
   </Html>
   

   This page displays the user's authenticated identity, which is composedFormsauthenticationClass, andContext. User. Identity. NameProperties are provided on the ASP. NET page. "Logout" buttonClickThe handler contains the following code: Call the signout method to clear the user identity and remove the authentication ticket (cookie ). Then, redirect the user to the logon page.

Put all the pages you do not need to verify under a directory, but do not set the froms Authentication Mode in Web. confg under that directory. You only need to set it in the top-Layer Web. config. For example:
1. Set all pages to be verified
<System Web>
<Authentication mode = "forms">
<Forms loginurl = "lonin. aspx" name = ". aspxformsauth"/>
</Authentication>
</System Web>
2. Additionally, you do not need to verify the page under a directory (noauto is the directory of the page that does not need to be verified)
<Location Path = "noauto">
<System. Web>
<Authorization>
<Allow users = "*"/>
</Authorization>
</System. Web>
</Location>