By Scott Guthrie
ASP.NET version 2.0 includes built-in Membership Management and Role Management systems that provide automatic credential storage and role mapping support against multiple data store providers.
To access Membership Management and Role Management, you can use the Membership and RoleManager classes that are in the System.Web.Security namespace (which is imported by default for pages).
For example, you can use these classes to add new users to the application simply by calling Membership.CreateUser(username, password).
On top of these APIs, the ASP.NET team has added a suite of cool Login controls that live on the Security tab of the VS .NET toolbox. These internally call the Membership Management and Role Management APIs—and eliminate the need to write any code for common security tasks.
In the Alpha version, the following controls appear on the Toolbox:
Login: Login form
LoginView: Templated control to vary output based on logged-in state
PasswordRecovery: Control that enables passwords to be retrieved when forgotten
LoginStatus: Control that toggles a login/logout message with a link to the login page
LoginName: Control that outputs the login name of the current user
The ASP.NET team will add two more controls in the Beta—one for creating new users on the system, and one for changing passwords (for the Alpha version you'll need to use the Membership API and write a little bit of code to enable these scenarios).
Following is a simple example of how to use all of the preceding features to implement a security system with the Alpha version that uses Forms Authentication and stores usernames and passwords in a membership store. (By default it will use the AccessProvider—you can update the configuration file to point it at SQL without having to change any code.)
Update web.config to enable Forms Authentication and the role provider.
<?xml version="1.0" encoding="UTF-8" ?> <configuration> <system.web> <authentication mode="Forms" /> <roleManager enabled="true" /> </system.web> </configuration>
Build a Default.aspx page that has both a LoginStatus control and a templated message for anonymous and logged-in users.
<%@ page language="VB" %> <html> <body> <form runat="server"> <table cellspacing="1" cellpadding="1" border="1"> <tr> <td width="500"> <h1>Put Site Logo/Banner Stuff Here</h1> </td> <td width="100" align="center"> <asp:loginstatus runat="server" /> </td> </tr> </table> <br /> <asp:loginview runat="server"> <anonymoustemplate> <h2>Welcome to My Site</h2> </anonymoustemplate> <loggedintemplate> <h2> Welcome <asp:loginname runat="server" /> </h2> </loggedintemplate> </asp:loginview> </form> </body> </html>
Build a Login.aspx page that uses the Login control.
<%@ page language="VB" %> <html> <body> <form runat="server"> <asp:login runat="server" font-names="Verdana" font-size="10pt" borderwidth="1px" bordercolor="#CCCC99" borderstyle="Solid" backcolor="#F7F7DE" createusertext="Register New Account" createuserurl="CreateUser.aspx"> <titletextstyle font-bold="True" forecolor="White" backcolor="#6B696B"> </titletextstyle> </asp:login> </form> </body> </html>
Build a CreateUser.aspx page that uses the Membership APIs to add new users into the application. Note that this will be made easier in the Beta version with a new CreateUser control.
<%@ page language="VB" %> <script runat="server"> Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Try Membership.CreateUser(UserName.Text, Password.Text) FormsAuthentication.RedirectFromLoginPage(UserName.Text, False) Catch ex As Exception Label1.Text = "Unable to create user - user may already exist" End Try End Sub </script> <html> <body> <form runat="server"> UserName: <asp:textbox runat="server"> </asp:textbox> <br /> <br /> Password: <asp:textbox textmode="Password" runat="server"> </asp:textbox> <br /> <br /> <asp:button runat="server" text="Create User" onclick="Button1_Click" /> <br /> <br /> <asp:label runat="server" font-size="Large" forecolor="#FF0033"> </asp:label> </form> </body> </html>
All in all, very little code is required (none will be needed with the Beta version). The resulting implementation is very secure (passwords are automatically hashed with salts to avoid retrieval in the event of a database hack) and very fast.
Should make building secure sites with Whidbey a breeze . . .