Summary of ASP. NET security verification

Summary of ASP. NET security verification

Http://www.cnblogs.com/kwklover/archive/2004/06/22/17806.aspx

1. Windows-based security verification
Web. config file:
<Configuration>
<System. Web>
<Authentication mode = "Windows"/>
<Identity impersonate = "true"/>
<Authorization>
<Allow roles = "builtin/groupname" users = "computername/username, computername/username"/>
<Deny users = "*"/>
</Authorization>
</System. Web>
</Configuration>
The. aspx file can be verified without any code, but the login user information can be obtained in the. aspx file.
You need to import the namespace: system. Security. Principal
If (user. Identity. isauthenticated) // you can check whether the user is authenticated.
{
Windowsidentity objwinidentity = windowsidentity. getcurrent ();
Lblhellomsg. TEXT = "the name:" + objwinidentity. name + "<br> type:" + objwinidentity. authenticationtype + "isinrole:" + User. isinrole ("computername // groupname ");
}

2. Web. config forms-based verification
Web. config file:
<Configuration>
<System. Web>
<Authentication mode = "forms">
<Forms name = "MyApp" Path = "/" loginurl = "login. aspx"
Protection = "all" timeout = "30">
<Credentials passwordformat = "clear">
<User name = "KWK" Password = "test"/>
<User name = "ljx" Password = "test"/>
</Credentials>
</Forms>
</Authentication>

<Authorization>
<Allow users = "KWK, ljx"/>
<Deny users = "? "/>
</Authorization>
</System. Web>
</Configuration>
Login. aspx file: You need to provide two text boxes to fill in the user and password (txtusr, txtpwd), one single worker to determine whether to save permanently
The code for responding to a button is as follows:
Void dologin (Object sender, eventargs E)
{
If (formsauthentication. Authenticate (txtusr. Value, txtpwd. Value ))
{
Formsauthentication. redirectfromloginpage (txtusr. Value, chkpersist. Checked );
}
Else
// Set for code integrity. You can leave it empty.
{
Response. Write ("authentication fails ");
}
}
On other pages, you can obtain the value of the login user:
If (user. Identity. isauthenticated) // you do not need to determine
{
Response. Write ("Your name:" + User. Identity. Name );
Response. Write ("Verification type:" + User. Identity. authenticationtype); // forms, windows, etc.
}

3. Authentication Based on Custom forms
Web. config file (basically no settings are required ):
<System. Web>
<Authentication mode = "forms">
<Forms name = "MyApp" Path = "/" loginurl = "custom-login.aspx"
Protection = "all" timeout = "30">
</Forms>
</Authentication>

<Authorization>
<Deny users = "? "/>
</Authorization>
</System. Web>
Custom-login.aspx files, the basic principle is the same as 2 said, such:
If (blnisauthenticated) // note that this blnisauthenticated is a self-defined variable.
// When we compare user input information with database (or XML) information, this variable is set to true if it exists, and false if it is false.
// This is different from 2
{
Formsauthentication. redirectfromloginpage (txtusr. Value, chkpersist. Checked );
// Txtusr and chkpersist are textbox and checkbox controls, respectively.
}
Else
{
// Verification failure prompt information
}
The rest is like Obtaining user information on other pages, such as 2.

4. log out
Code for responding to the Logout button:
Formsauthentication. signout ();
Response. Clear ();
Response. Redirect (request. urlreferrer. tostring (); // redirect to the previous page