7.2. Authenticate Users with Forms Authentication
Note: Forms authentication, the preferred authentication mode for web applications, works just fine with the Profile service.
The lab Section 7.1 shows how you can use Windows authentication for your ASP.NET web application. While this is useful for Intranet applications, a better way to authenticate external users is to use forms authentication. In this section, you will use the Profile object together with forms authentication.
Forms Versus Windows Authentication
In forms authentication, unauthenticated requests are redirected to a Web Form using HTTP client-side redirection. The user provides a username and password and then submits the form. If the application authenticates the request, the system issues a cookie containing the credentials or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers. They are then authenticated and authorized by an ASP.NET event handler using whatever validation method the application developer specifies.
In Windows authentication, ASP.NET works in conjunction with Microsoft Internet Information Services (IIS) authentication. Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access.
It is not feasible for you to create separate Windows accounts for users accessing your application through the Internet. So, forms authentication should be used for Internet applications.
7.2.1. How do I do that?
In this lab, you will see how you can authenticate your users via forms authentication. You will add users to a web site using the ASP.NET Web Site Administration Tool. You will then use the Profile object to save the user's preferences based on the username provided at login.
Using the same project created in the last section (C:\ASPNET20\chap07-Profile), add a new folder to your project by right-clicking the project name in Solution Explorer, selecting New Folder Regular Folder, and naming the new folder Members.
Move the Default.aspx page into the Members folder.
Add a new Web Configuration File (Web.config) to the Members folder.
Finally, add a new Web Form to your project and name it Login.aspx (see Figure 7-7). Populate the form with the Login control.
Figure 7-8. The login page with the Login control
Your project should now look like the one shown in the Solution Explorer in Figure 7-8.
Figure 7-9. The project with two Web.config files
In the application Web.config, marked (1) in Figure 7-8, change the authentication mode from Windows to Forms:
Default Values in machine.config
In ASP.NET 1.x, you need to explicitly specify the name of the login page when you use forms authentication. Your code looks something like this:
<authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="Validation" timeout="999999" /> </authentication>
And so, if an anonymous user tries to load a page that is protected, he will be redirected to the Login.aspx page for authentication.
In ASP.NET 2.0, there is no need to perform this step. Rather, the above settings (plus many others) are "burned" into ASP.NET as defaults. Each application now includes three different machine.config files, all located in C:\WINDOWS\Microsoft.NET\Framework\<version>\CONFIG:
The machine.config.default file contains all the default system-wide configuration settings. To see the default settings defined in machine.config.default, check the machine.config.comments file for details. For example, the default settings for forms authentication found in machine.config.comments are:
<forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" enableCrossAppRedirects="false" >
If you want to override the default settings, you should modify machine.config (for machine-wide configuration) or Web.config (for application-wide configuration). The rationale for splitting the original machine.config file into three different files is to reduce the size of machine.config and hence improve the performance.
In the Members folder Web.config, marked (2) in Figure 7-8, add the <authorization> element so that all anonymous users are denied access to the Members folder. Also, remove the <authentication> element:
<system.web> <authorization> <deny users="?" /> </authorization> ... <!-- <authentication mode="Windows"/> -->
Using the ASP.NET Web Site Administration Tool (Website ASP.NET Configuration, and then click on the Security tab), add a new user to your application (see Figure 7-9).
Figure 7-10. Adding a new user to my application
Tip: See Chapter 5 for more information on how to add a new user to your web application.
To test the application, press F5. Load the Default.aspx page located in the Members folder using a web browser. Since all unauthenticated users are denied access, you will be redirected to the Login.aspx page.
Log in using the username that you added in Step 8, and you will see the Default.aspx page. As usual, enter your first and last names and click on the Save button.
Examine the aspnet_Profile and aspnet_Users tables again. This time, you will see a second user in the table. In my case, not surprisingly, the name is "WeiMengLee," which is the username I used to log in. Contrast this to the Windows username ("WINXP2\Wei-Meng Lee") used in the previous lab, which used Windows authentication.
7.2.2. What about...
...sites that store the Default.aspx file outside of the Members folder, thereby allowing users to access the site without logging in?
Figure 7-10 shows the location of Default.aspx at such a site, namely the one we're working with in this chapter.
Figure 7-11. Moving Default.aspx out of the Members folder
If the Default.aspx file is accessed directly when the user has not yet been authenticated, trying to set the Profile properties will result in a runtime error. This is because ASP.NET requires a key to uniquely identify the user. Using the Profile object for a user that has not yet been authenticated is known as anonymous profiling. The next lab, Section 7.3, discusses this in more detail.
Retrieving Other Users' Profiles
Besides retrieving your own profile information, you can also retrieve other users' profiles by using the GetProfile( ) method.
The following example first retrieves all the members known to the application, and then uses the UserName property and the GetProfile method to retrieve the user's profile.
Dim member As MembershipUser Dim members As MembershipUserCollection = _ Membership.GetAllUsers For Each member In members Dim userProfile As ASP.HttpProfile userProfile = _ Profile.GetProfile(member.UserName.ToString) Response.Write(member.UserName & " - ") Response.Write(userProfile.FirstName & ", " & _ userProfile.LastName & "<br/>") Next
7.2.3. Where can I learn more?
To learn more about how to secure your ASP.NET web applications, check out the following article, which provides a checklist for securing your ASP.NET application: