Use Forms authentication for user registration and login

ArticleDirectory

• 2. User Registration and logon

Preface

Originally, Forms authentication is the most common method for user authentication, but it is rare to systematically clarify the method, more articles on the internet describe how to use or implement a part of the content, while more friends ask how to complete user registration and logon from start to end. Therefore, we plan to use a practical example to introduce how to implement the authentication based on forms:

• User Registration (including encrypted storage of passwords)
• User Logon (including password verification and security cookie setting)
• User entity replacement (use your own type as the type of httpcontext. User)

The principles of Forms authentication do not fall into the scope of this article, you can view more resources by entering keywords such as "Forms authentication", "Forms authentication", and "Forms authentication" in the search engine. This article only describes how to use this technology from a practical perspective.

 

Do not use membership

The implementation method described in this article does not rely on the membership function provided by ASP. NET 2.0. The main reason is that if you use membershipping, you must use the aspnet_regsql.exe utility to configure the database. Otherwise, you must write your own custom membershipprovider.

If you use aspnet_regsql.exe to configure the database, many tables or fields that we don't actually need will appear in the database. In addition, the default sqlmembershipprovider adds the applicationid column to many data tables. The original intention may be to add multiple applications.ProgramAll users are stored in one library, but they can be isolated from each other. However, each application stores user data in its own database. Therefore, this applicationid is introduced to add additional conditions for every user search.

On the other hand, if you want to implement a membershipprovider on your own, it will be worth the candle because of the heavy workload.

However, if you do not use membership, you will not be able to enjoy the convenience of the New login and other controls in ASP. NET 2.0.

 

Configuration related to Forms authentication

In the Web. config file, the <system. Web>/<authentication> Configuration section is used to configure verification. Provide the mode = "forms" attribute for the <authentication> node to enable Forms authentication. A typical <authentication> Configuration section is as follows:

<Authentication mode = "forms"> <forms name = ". aspxauth "loginurl =" login. aspx "defaulturl =" default. aspx "Protection =" all "timeout =" 30 "Path ="/"requiressl =" false "slidingexpiration =" false "enablecrossappredirects =" false "cookieless =" usedeviceprofile "Domain =" "/> </authentication>
 

 

 

AboveCodeThe default settings are used. In other words, if the Configuration Attribute is the same as the preceding code, you can omit this attribute. For example, <forms name = "myappauth"/>. The following describes various attributes in sequence:

• Name -- cookie name. Forms authentication may put the user creden。 in the cookie after verification. The name attribute determines the cookie name. You can obtain the configuration value through the formsauthentication. formscookiename attribute (fromsauthentication class will be introduced later ).
• Loginurl: the URL of the logon page. The Configuration value can be obtained through the formsauthentication. loginurl attribute. When the formsauthentication. redirecttologinpage () method is called, client requests are redirected to the page specified by this attribute. The default value of loginurl is "login. aspx", which means that even if this attribute value is not provided, ASP. NET will try to find a page named login. aspx under the root directory of the site.
• Defaulturl -- the URL of the response page. The Configuration value is obtained through the formsauthentication. defaulturl attribute.
• Protection-Cookie protection mode. values include all (encryption and data verification at the same time), encryption (encryption only), validation (data verification only), and none. For security, this attribute is never set to none.
• Timeout -- cookie expiration time.
• Path -- Cookie Path. You can use the formsauthentication. formscookiepath attribute to obtain the configuration value.
• Requiressl-whether to use SSL for interaction with the server during Forms authentication. You can use the formsauthentication. requiressl attribute to obtain the configuration value.
• Slidingexpiration -- whether to enable "auto expiration time". If this attribute is set to false, the cookie expires after the timeout time expires for the first verification. If this attribute is true, the cookie will expire after the timeout time of the last request. This means that after the first verification, if at least one request is sent within each timeout time, the cookie will never expire. The Configuration value can be obtained through the formsauthentication. slidingexpiration attribute.
• Enablecrossappredirects -- whether to redirect authenticated users to other applications. The Configuration value can be obtained through the formsauthentication. enablecrossappredirects attribute. For security considerations, this attribute is usually set to false.
• Cookieless-defines whether to use cookies and cookies. Forms authentication can be used to save user credenication information in sessions. One is to use cookies to record user credencookie to cookies, each time a request is sent, the browser provides the cookie to the server. Another way is to use Uri, which means that user credenurl are passed to the server as an additional query string in the URL. This property has four values: usecookies (cookie is used at any time), useuri (Cookie never used, Uri only), autodetect (detection device and browser, use cookies only when the device supports cookies and enables cookies in the browser) and usedeviceprofile (only detect devices, as long as the device supports cookies, whether or not the browser supports cookies, all use cookies ). The Configuration value can be obtained through the formsauthentication. cookiemode attribute. You can use the formsauthentication. cookiessupported attribute to determine whether to use cookies to pass user creden。 for the current request.
• Domain -- the cookie domain. The Configuration value can be obtained through the formsauthentication. cookiedomain attribute.

The introduction to <system. Web>/<authentication>/<forms> nodes is very simple. It is basically an additional description of the document. For more information about <forms> nodes, see the msdn documentation (http://msdn2.microsoft.com/zh-cn/library/1d3t3c61 (vs.85). aspx ).

 

 

Formsauthentication class

The formsauthentication class is used to help us complete form verification and further complete user login and other functions. This class is located in the system. Web. Security namespace of the system. Web. dll assembly. This class can be directly used in a web site project. If you use this class in a class library project, make sure that system. Web. dll is referenced.

The previous section describes all attributes of the formsauthentication class. This section describes a few common methods of this class.

The redirecttologinpage method is used to redirect from any page to the logon page. There are two methods to reload this method:

 
Public static void redirecttologinpage () public static void redirecttologinpage (string extraquerystring)
 

Both methods redirect the browser to the logon page (the logon page url is indicated by the loginurl attribute of the <forms> node ). The second method provides additional query strings.

Redirecttologinpage is usually called on any non-Logon page. In addition to redirection, This method also attaches a returnurl parameter to the URL, which is the URL address of the page on which the method is called. This is to facilitate the automatic return to the previous page after logon.

The redirectfromloginpage method is used to jump back to the pre-Logon page from the logon page. This "before Logon" page is specified by the returnurl parameter provided during logon. If the returnurl parameter is not provided (for example, instead of using the redirecttologinpage method, you can use other methods to redirect to or directly access the logon page ), this method automatically jumps to the page specified by the defaulturl attribute of the <forms> node.

In addition, if the enablecrossappredirects attribute of the <forms> node is set to false, the path specified by the returnurl parameter must be the path in the current web application; otherwise, (such as the path under other sites) the response page is also returned.

The redirectfromloginpage method has two reload methods:

 
Public static void redirectfromloginpage (string username, bool createpersistentcookie) public static void redirectfromloginpage (string username, bool createpersistentcookie, string strcookiepath)
 

The username parameter indicates the user's identity (such as the user name and user ID); The createpersistentcookie parameter indicates whether to "remember me"; and The strcookiepath parameter indicates the Cookie Path.

In addition to redirection, The redirectfromloginpage method also stores user creden encrypted (whether encrypted depends on the Protection attribute of the <forms> node) in cookies or Uris. In subsequent access, as long as the cookie does not expire, the username attribute passed in here can be obtained through the httpcontext. User. Identity. Name attribute.

In addition, formsauthentication also has a signout method to complete user logout. The principle is to remove user creden。 from the cookie or Uri.

Summary

Now the basic knowledge is complete. Next we will implement user registration, logon, and other functions.

 

 

2. User Registration and logon

Starting from this section, we will take a complete example to see how to implement user registration and login. Before introducing registration and logon, we will first introduce how to determine whether a user has logged on, without the following examples to write some basic code.

Determine whether the user has logged on

First, add a masterpage in the Web site project, for example, masterpage. master. Insert the following code in the <from> label before the contentplaceholder control on this master page:

 
   
    
    | 
    
    
   
  
    welcome, 
    
   ! [
    
   ] 
   
   
    
    | 
    
    
   

Three panel controls are provided: pnlanonymous, pnlloggedin, and pnlnavigate. Pnlanonymous is used to display the "login" and "Registration" links when the user is not logged on. pnlloggedin is used to display the user information (such as the user name and the link to the user's personal information page) when the user is logged on, only the user name is displayed here), and a "logout" button; pnlnavigate is displayed at any time, which is the navigation bar of the site.

Now we need to determine whether the user is logged on and display one of pnlanonymous and pnlloggedin. Here, if ASP is used. NET 2.0 membership, you can easily use controls such as loginview, loginname, and loginstatus to implement these functions. However, we have to endure the huge and numerous database objects brought by membership, or spend more time writing custom membershipporvider.

The first part of this series has introduced that if a user has logged on, you can obtain the identity of the logged on user from httpcontext. User. Identity. Name (usually the user name ). However, if the user is not logged on, this value is a null string. Therefore, you can determine whether the value is an empty string and whether the user has logged on.