Security

Obviously, we need to secure this part of the website so that only band members can access it. There are several ways of providing security in .NET. Here's a quick rundown:

• Windows – You are prompted for your Windows username and password. Your entry is checked against the Windows user account database. If you are a valid user in Windows, you are allowed access to the site. There are many advantages to this method in an intranet environment. One advantage is that if they already have Windows accounts, they're logged on to their workstation with that account, and they're using a Microsoft browser, it's possible for users to access the secure website without ever having to re-enter their credentials. Instead, the credentials with which they're logged onto the workstation are passed through to the web application. This is very convenient.

• Forms – A user enters their username and password on a login page. It is then up to you, the developer, to determine whether or not the user is valid. .NET provides a basic authentication method, which we'll utilize in a moment.

• Passport – This mode uses Microsoft's Passport security mechanism to allow or disallow access to the site. Passport is the security mechanism used throughout Microsoft and other vendor's web presences. An example of where it's used by Microsoft can be found within Microsoft's MSN Messenger. Other third-party sites such as eBay.com and Buy.com allow you to sign into their sites with it as well.

  For more info on it, check out http://www.microsoft.com/passport.

In our example, we're going to use the Forms-based authentication. There are several reasons for this:

• It doesn't require the users to have Windows accounts. Using Windows accounts is great if you're in an intranet environment where your users already have accounts. Setting up security is a little more complicated using this method, because you have to set file-level permissions on the website.

• Passport is overkill. It's much more complicated to add Passport security to your site, and many users wouldn't want to sign up for a Passport account anyway. You'll see that most non-Microsoft sites that allow you to sign in with Passport also provide an alternative sign-in method as well.

• Forms-based authentication is the most flexible. You can set it up very quickly to use the Web.config file (we'll talk about this file in a minute) to store credentials, or you can get much more complex and use a database to store credentials and role information that specifies exactly what a user can and cannot do within the application.

The Configuration File

As mentioned in the previous chapter, the Web.config configuration file contains configuration for ASP.NET applications. We used it for the database connection string details, but it has many sections, one of which allows setting the security options. What we'll be doing here is using the security sections to define which parts of the site are secure, and who can access those secure sites.

Each ASP.NET application on your web server can have its own Web.config file. It should be placed in the root directory of the application you're configuring. If you are using IIS to access this sample, you'll need to make sure that the virtual root is configured as an application. See Appendix A for more details on this.