Web. config file in Asp.net [online collection]

Published on blog.csdn.net/zxub

When I learned about Asp.net, I found that the file web. config is very useful. I found some materials and collected them here for reference by those who need them.
All. NET applications store their information in an XML-based configuration file. Web applications use the web. config file located in the application root directory. The information contained in Web. config of ASP. NET applications is related to most operations of their applications. Through web. config, you can define settings for the website, such as the custom 404 error page, (identity) authentication and authorization. If tracking is allowed, you can also set ASP.. net.
Web. config is the <configuration> flag at the root layer. You can add many other tags to this tag. The most common and useful one is the system. Web tag. In addition, to define the application-wide settings, use the <deleettings> flag. In this tag, you can use the <add.../> tag to define 0 to multiple settings. For example, if you want to add a database connection string parameter, you can use the following web. config file:

<Configuration>

<! -- Application specific settings -->

<Deleetask>

<Add key = "connstring" value = "connection string"/>

</Appsettings>

<System. Web>

...

</System. Web>

</Configuration>

The preceding Code adds an application-wide setting named connstring. The connection string provides the value of the data connection string. Now, you can In most ASP. NET web pages of a website, use the following statement to read the value of connstring:

String connstr = configurationsettings. receivettings ("connstring ") If you are creating a large ASP. NET application, it is wise to define a large number of global website management and attribute adjustment as application-wide parameters. To So far, you can use the ettings mark as we just did. There is a problem here. When someone else wants to integrate your program, if name 1 already exists The configuration will not be modified in a wide range, so that there is no conflict. If this happens, it depends on what you want to do with your website. To avoid such confusion, you can set "group" of the application to a unique tag in the web. config file. That is to say, it can be stored in the web. config file. Create a tag named <myettings>, and then add the settings of application-wide as described earlier. In order To customize a tag, you must first use the <configsections> tag to explicitly define a new tag name in Web. config. For example: <Configuration> <Configsections> <Section name = "myappsettings" Type = "system. configuration. namevaluefilesectionhandler, System, version = 1.0.3300.0, culture = neutral, Publickeytoken = b77a5c561934e089 "/> </Configsections> ... </Configuration> Note: The Type attribute values in the <section.../> mark must all be written in the same line. Here, the line feed is used to make it clearer. This <section.../> mark indicates that a custom tag named myettings will be added. From now on, to add the application-wide parameter, we You can add a <myettings> tag and <add.../> tag in the web. config file, as shown below: <Configuration> <Configsections> <Section name = "myappsettings" Type = "system. configuration. namevaluefilesectionhandler, System, version = 1.0.3300.0, culture = neutral, Publickeytoken = b77a5c561934e089 "/> </Configsections> <Myappsettings> <Add key = "connstring" value = "connection string"/> </Myappsettings> ... </Configuration> Finally, we use the following syntax to read this custom value on an ASP. NET webpage: Configurationsettings. getconfig ("myappsettings") ("connstring ") The more general method is to replace myettings with the name you choose to store the custom settings tag, and replace connstring The name of the parameter you want to read. This method can effectively resolve the conflicts mentioned above, unless otherwise specified. In the Web. config file, the <authentication> section defines the details of the server's user authentication process. The three supported modes are: Windows, forms, and passport. Now let's take a closer look at each mode: Windows Authentication uses a Windows system account to authenticate users, such as Active Directory ). Windows verification is the safest form of verification For programmers, this mode is very simple, because the entire process is handled by the operating system. However, every user of the website needs a system SYSTEM account, so this mode will be restricted in Enterprise Intranet (Intranet) applications. Passport authentication uses a passport to verify the user, which is the second safe authentication method. Its best application is large-scale, active Internet e-commerce applications. These programs verify the user's service usage fee. This mode is the verification method selected by. net. Forms authentication is the least secure authentication method, because your application must handle the verification process on its own. However, this is most likely to happen on your Internet The mode used on the program, because it requires the least management and maintenance. An example of applying forms verification is as follows: The file directory is: + Bin + Admin -Index. aspx -Test. aspx -*. Aspx -Web. config // web. config in the admin folder Login. aspx Web. config // web. config in the root directory Index. aspx (-) Important formsauthentication methods and attributes Formscookiename The cookie name configured for the current application is returned. Getauthcookie Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response, so the application has more Control permissions. Authenticate Given the provided creden。, try to verify the creden。 Based on the creden contained in the configured creden store. Getredirecturl Returns the Redirection URL of the original request that led to redirection to the logon page. Hashpasswordforstoringinconfigfile Given the password and string that identify the hash type, this routine generates a hash password suitable for storing in the configuration file. Redirectfromloginpage Redirects authenticated users back to the original requested URL. {========== Remarks The redirectfromloginpage method redirects to the return URL key specified in the query string. For example, in the URL http://www.contoso.com/login.aspx? In returnurl = caller. aspx, caller. aspx is the return URL redirected by redirectfromloginpage. If the return key does not exist Redirectfromloginpage will be redirected to default. aspx. =========} Setauthcookie Creates an authentication ticket and attaches it to the set of outgoing responses of the cookie. It does not perform redirection. Signout Remove the authentication ticket. (2) Let's thoroughly understand how the page is verified step by step Explain our purpose again: Admin folder is the "area" for admin background management by the Administrator. You can access all the pages in the admin folder only after logging on to and verifying through login. aspx. You must enter the login. aspx form to verify whether the user is an administrator. (1) Suppose we are in the root directory index. aspx sets a connection <a href = login. aspx> Log On As the Administrator </a>. The administrator can access login through this connection. aspx Form. There is a strange mindset here. We are used to this "administrator login" connection to connect to login. aspx. In fact, here we are wrong, we should "directly" Connect After receiving the admin folder (or any page in it), someone asked, "Isn't this a normal visitor who can directly connect to the admin page through this connection? ", Right !, This It is the beauty of form-based verification. You don't have to worry about this problem. Let's look at our two web. config! Look at web. config in the admin folder. <Configuration> <System. Web> <Authorization> <Deny users = "? "/> </Authorization> </System. Web> </Configuration> There is a <deny users = "? "/>, That is, The unauthenticated anonymous user is absolutely prohibited from accessing this folder-Admin. What if an anonymous user tries to connect to the page in the admin folder? Haha, it will be directed to the login. ASPX page to see Web. config <Configuration> <System. Web> <Authentication mode = "forms"> <Forms name = "mycookiename" loginurl = "login. aspx" Protection = "all" timeout = "30"> </Forms> </Authentication> <Authorization> <Allow users = "*"/> </Authorization> </System. Web> </Configuration> The Web. config in the root directory sets the authentication method and corresponding processing conditions. <Authentication mode = "forms"> to set the Authentication mode = "forms "; <Forms name = "mycookiename" loginurl = "login. aspx" Protection = "all" timeout = "30"/> Have you seen loginurl = "login. aspx? That is to say, if an anonymous user tries to connect to a protected page (Admin folder), it will be directed to login. aspx to make the anonymous user Login! (2) We clicked the "administrator login" link and came to login. aspx. Now you will find that the URL address is actually: Login. asxp? Returnurl = admin/index. asp (actually If we have passed the verification in login. asxp, the page will automatically jump to the returnurl. Look at login. AXP: <Asp: textbox id = textname runat = server/> account <Asp: textpassword id = textpassword runat = Server> Password <Asp: checkbox id = mycheckbox runat = server/> remember the password and log on permanently <Asp: button runat = server onclick = btnloginclick text = login/> Process Event 1 (when the user clicks the login button) Void btnloginclick (Object sender, eventargs E) { If (verified by the user) // you can place your own DLL file in the bin directory to verify the user and return a bool. { Formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked ); } } 1, formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked: -> Setting a verification cookie indicates that the user has passed the verification. -> Return the page you requested (admin/index. aspx ); 2. This sentence is equivalent to the following two sentences: Formsauthentication. setauthcookie (username. Text, mycheckbox. Checked ); Response. Redirect (formsauthentication. getredirecturl (username. Text, mycheckbox. Checked ); 3. If the mycheckboxt control has been selected, write the cookie and save it for 50 years. Of course, we can change the time: Process Event 1 (when the user clicks the login button) Void btnloginclick (Object sender, eventargs E) { If (verified by the user) // you can place your own DLL file in the bin directory to verify the user and return a bool. { Httpcookie authenticationcookie = formsauthentication. getauthcookie (username. Text, mycheckbox. Checked ); Authenticationcookie. expires = datetime. Now. adddays (3); // 3 days Response. Cookies. Add (authenticationcookie ); Response. Redirect (formsauthentication. getredirecturl (username. Text, mycheckbox. Checked ); } 4. There is a bug here. I don't know why it is like this. Let's do this: Process Event 1 (when the user clicks the login button) Void btnloginclick (Object sender, eventargs E) { If (verified by the user) // you can place your own DLL file in the bin directory to verify the user and return a bool. { Formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked ); Response. Redirect ("http://www.QuickResponser.com "); } } What will happen? It is reasonable to execute formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked ); Then jump to the requested page admin/index. aspx. However, in the actual test process, the page was found to execute response. Redirect ("http://www.QuickResponser.com "); 5. Do not connect to login. aspx directly. Why? Assume that we log on to login. asxp directly, there is no returnurl parameter for this URL. However, the default value is Default. aspx (or index. AXP...). When the Administrator passes the verification, the page does not directly jump to the default page index. aspx. (If you connect directly, it is also possible to solve the problem by using the above bug) Logout Verification: Use formsauthentication. signout (); In fact, the above solution is not a safe solution, but a practical, simple, and secure verification solution.