Security Server Controls

The new Membership infrastructure feature of ASP.NET simplifies the management and storage of user credentials. Using APIs, such as Membership.ValidateUser() , for Forms Authentication definitely makes things easy. However, some techniques are made even easier through the use of several new security- related server controls. For example, you can author your own login page with zero lines of code by using the new login control.

The Login Control

Figure 6.6 shows a control_login.aspx page that authenticates the user's credentials against the default Membership provider and uses the new <asp:Login runat ="server"/> control. As you can see in Figure 6.6, it looks nearly identical to the login page we built with the Membership APIs. Listing 6.9 shows the source to the control_login.aspx page.

Listing 6.9 Using the Login Control

 <html>   <body style="FONT-FAMILY: Verdana">     <H1>Validate Credentials</H1>     <hr />     <form id="Form1" runat="server">       <asp:Login id="Login1" runat="server" />     </form>   </body> </html> 

When the username and password are entered, this control will automatically attempt to log in the user by calling Membership.ValidateUser() . If successful, the control will then call the necessary FormsAuthentication .RedirectFromLoginPage API to issue a cookie and redirect the user to the page he or she was attempting to access. In other words, all the code you would have needed to write in ASP.NET 1.1 is now neatly encapsulated in a single server control!

The <asp:Login runat="server" /> control automatically hides itself if the user is logged in. This behavior is determined by the AutoHide property, set to True by default. If the login control is used with Forms Authentication and hosted on the default login page (specified in the configuration for Forms Authentication) the control will not auto-hide itself.

We can further customize the login control's UI. To preview one UI optionwe can't cover all of them in depth in this bookright-click on the login control within Visual Studio .NET "Whidbey" and select Auto Format. This will bring up the dialog box shown in Figure 6.7.

Once you've chosen an auto-format template, such as Classic, you can see the changes in the login control (see Listing 6.10).

Listing 6.10 A Formatted Login Control

 <asp:Login id="Login1"            runat="server"            font-names="Verdana"            font-size="10pt"            bordercolor="#999999"            borderwidth="1px"            borderstyle="Solid"            backcolor="#FFFFCC">   <TitleTextStyle Font-Bold="True"                   ForeColor="#FFFFFF"                   BackColor="#333399">   </TitleTextStyle> </asp:Login> 

If you desire more control over the display of the control, right-click on the control, or from the Common Tasks dialog, select Convert to Template. You'll see no changes in the rendered UI of the control. However, you will see a notable difference in the declarative markup generated for the control. For brevity we are not including the updated markup. ^[9] What you will see is a series of templates that allow you to take 100% control over the UI rendering of the control. Note that it is important that the IDs of the controls within these templates remain because the control expects to find these IDs.

^[9] One of the nice features in the Designer is a Reset feature. When you change your mind about using the template layout of the login control, you can simply select Reset from the Common Tasks menu.

While the login control simplifies authoring the login page, several other controls help us display content to users based on their login status. Let's take a look at the login status control first.

The Login Status Control

The login status control, <asp:LoginStatus runat="server" /> , is used to display whether the user is logged in or not. When the user is not logged in, the status displays a login link (see Figure 6.8). When the user is logged in, the status displays a logout link (see Figure 6.9).

Listing 6.11 shows the code required.

Listing 6.11 The LoginStatus Control

 <html>   <body style="FONT-FAMILY: Verdana">   <h1>Login Status</h1>   <hr />   <form runat="server">     <asp:LoginStatus id="LoginStatus1" runat="server" />   </form>   </body> </html> 

By default the text displayed for the link is "Login" when the user is not logged in and "Logout" when the user is logged in. ^[10] However, this text can easily be changed. To change the text, you simply need to change the LoginText or LogoutText properties of the control:

^[10] Note the handy feature in Visual Studio .NET "Whidbey" in the Common Tasks dialog, Switch Logged In Status, which allows you to toggle the view of the control in the Designer.

 <asp:LoginStatus id="Loginstatus1" runat="server"                  LoginText="Please log in"                  LogoutText="Please log out" /> 

Other properties can also be set to control the behavior of this control. For example, you can use the LoginImageUrl and the LogoutImageUrl to use images rather than text for displaying the login status. Finally, there are two properties for controlling the behavior upon logout:

• LogoutAction : This property specifies the behavior when the logout button is clicked. Options include Refresh , Redirect , and RedirectToLoginPage .

• LogoutPageUrl : When the LogoutAction is set to Redirect , the LogoutPageUrl is the location to which the browser is redirected.

Whereas <asp:LoginStatus runat="server" /> provides an easy way for the user to log in and log out, another server control, <asp:LoginView runat="server"/> , allows us to easily determine what content is shown to the user based on his or her login status.

The Login View Control

The <asp:LoginView runat="server" /> server control is used to display different output depending on the login status of the user. Furthermore, the control can also be used to display different content based on the role(s) the user belongs to. Figure 6.10 shows an example of what the control might display for an anonymous user. The code that generates this page appears in Listing 6.12.

Listing 6.12 Using the LoginView Control

 <html>   <body style="FONT-FAMILY: Verdana">   <h1>Login View and Login Name Controls</h1>   <hr />   <form runat="server">     <asp:LoginView id="Loginview1" runat="server">       <anonymoustemplate>         Unknown user please <asp:LoginStatus runat="server"                                         logintext="login" />       </anonymoustemplate>       <rolegroups>         <asp:rolegroup roles="Admin">           <contenttemplate>             This is admin only content!           </contenttemplate>         </asp:rolegroup>       </rolegroups>       <loggedintemplate>         You are logged in as: <asp:LoginName id="LoginName1"                                          runat="server" />       </loggedintemplate>     </asp:LoginView>   </form>   </body> </html> 

In the code above you can see that two templates are defined for the <asp:LoginView runat="server" /> control:

• <anonymoustemplate /> is used to control the displayed content when the user is not logged in.

• <loggedintemplate /> is used to control the displayed content when the user is logged in.

In addition to the templates, there is also a special <rolegroups /> section that allows us to create different templates that are displayed if the user is in a corresponding role or roles. If the user is logged in but no roles apply, the <loggedintemplate /> is used. ^[11]

^[11] Template evaluation for rolegroups is done top to bottom. The first matched role group is used. If no match is found, the <loggedintemplate /> is used.

You'll notice that we also made use of another control in Listing 6.12: <asp:LoginName runat="server" /> . This control simply displays the name of the logged in user. If the user is not logged in, the control does not render any output.

The last security-related server control is <asp:PasswordRecovery runat="server" /> , which is used to help users obtain their forgotten passwords.

The Password Recovery Control

The <asp:PasswordRecovery runat="server" /> control works in conjunction with the Membership system to allow users to easily recover their passwords. ^[12]

^[12] For this server control to work, your Membership configuration must be set up to allow for password recovery.

The <asp:PasswordRecovery runat="server" /> control relies on the <smtpMail /> configuration options to be correctly set to a valid SMTP serverthe control will mail the password to the user's e-mail address. By default, the <smtpMail /> section will have the SMTP mail server set to localhost and the port set to 25 (the default SMTP port).

Similar to <asp:Login runat="server" /> , this control supports auto-format and full template editing. Assuming we select an auto-format template, such as Classic, and use the default Membership settings, we should see the page shown in Figure 6.11.

Listing 6.13 presents the code that generates this page (auto-formatting removed).

Listing 6.13 Using the PasswordRecovery Control

 <html>   <body style="FONT-FAMILY: Verdana">     <H1>       Password Recovery     <hr />     </H1>     <form id="Form1" runat="server">       <asp:PasswordRecovery runat="server">         <maildefinition from="admin@mywebsite.com" />       </asp:PasswordRecovery>     </form>   </body> </html> 

If we attempt to use the control with the default Membership settingswhich do not allow password recoverywe will receive the following error:

"Your attempt to retrieve your password was not successful. Please try again."

To allow us to recover the password, we need to change some of the default membership settings. Below are the necessary changes to the <membership /> configuration settings to allow for password recovery:

• enablePasswordRetrieval="True"

• passwordFormat="Clear"

The enablePasswordRetrieval attribute must be set to True to allow for password retrieval, and the passwordFormat attribute must be set to either Clear or Encrypted . ^[13] Another alternative is that when enable PasswordReset is set to True , the new password can be e-mailed to the user.

^[13] The default passwordFormat value, Hashed , can be best thought of as one-way encryption; thus it is impossible to retrieve the original value once the value is hashed.

In addition to configuring the <membership /> configuration settings, we must specify the <maildefinition /> element of the <asp:Password Recovery runat="server" /> control. The <maildefinition /> names the address from whom e- mails are sent.

Finally, we can also use the <asp:PasswordRecovery runat= "server" /> to retrieve the user's password using the question/answer support of Membership (see Figure 6.12).

The control still requires that we enter the username first, but before simply mailing the password it will first also request the answer to the user's question.

This behavior is forced by setting the <membership /> configuration setting requiresQuestionAndAnswer to true (the default is false ). ^[14] Note that this configuration change is in addition to changing the enablePasswordRetrieval to True and setting the passwordFormat to a value other than Hashed .

^[14] You will also need to ensure that the user set a question and answer when his or her account in the Membership system was created.

Managing and storing user credentials are only one part of securely controlling access to resources within your site. In addition to validating who the user is, you need to determine whether the user is allowed to access the requested resource. The process of validating credentials is known as authentication; authorization is the process of determining whether the authenticated user is allowed to access a particular resource.

ASP.NET 1.x already provides authorization facilities, but just as we have done with Membership, there is more simplification to be done.