Answers for Day 21 | Sams Teach Yourself ASP.NET in 21 Days (2nd Edition)


IOTA^_^

	Sams Teach Yourself ASP.NET in 21 Days, Second Edition By Chris Payne
	Table of Contents

	Appendix A. Answers to Quiz Questions

Quiz

1:	What's the difference between authentication and authorization?
A1:	Authentication is the first step in security. It requires the user to supply valid credentials to access an application. Authorization occurs after the user has been authenticated, and it tests user permissions against those set on resources to restrict access.
2:	What's the difference between basic and digest authentication?
A1:	Digest authentication encrypts user credentials before sending them across the network, using a one-way encoding technique known as hashing. Basic sends credentials across the network without any encryption.
3:	What's the anonymous user account's name in Windows?
A1:	`IUSR_MachineName`, where `MachineName` is the name of your Web server.
4:	Write some code to set an authorization cookie and redirect to an originating URL.
A1:	FormsAuthentication.RedirectFromLoginPage("username", false)
5:	What does the second parameter in the `SetAuthCookie` method do?
A1:	Specifies whether or not a cookie should be persisted across browser restarts, allowing a user to return to the Web site without having to log in again.
6:	Will the following code work? <configuration> <authentication mode="Forms"> <forms name="AuthCookie" loginUrl="day21/login.aspx"> </forms> </authentication> </configuration>
A1:	No, because the `authentication` element isn't wrapped in `system.web` tags. Also, even though the `<authentication>` tag is present, all users will still be able to access the files in question because there is no `<authorization>` tag to stop them.
7:	What do the wildcard characters `*` and `?` mean to ASP.NET within the authorization section of `web.config`?
A1:	`*` means all users, and `?` means the anonymous user.
8:	True or False: When impersonation is enabled, ASP.NET can operate on behalf of the operating system.
A1:	False. ASP.NET will operate on behalf of the user it impersonates.

Exercise

Q1:

Create a login page that validates user credentials against a database. Create a web.config file that uses forms authentication and directs all anonymous users to this login page.

A1:

You'll use the existing banking database you created earlier in the book. The code for the web.config file is as follows (put this in the TYASPNET21Days root folder):

 1:    <configuration> 2:       <system.web> 3:          <authentication mode="Forms"> 4:             <forms name="AuthCookie" loginUrl="login.aspx" /> 5:          </authentication> 6:          <authorization> 7:             <deny users="?" /> 8:          </authorization> 9:       </system.web> 10:    </configuration>

The code for the login page, login.aspx, is as follows:

 1:    <%@ Page Language="VB" %> 2:    <%@ Import Namespace="System.Data" %> 3:    <%@ Import Namespace="System.Data.OleDb" %> 4: 5:    <script runat="server"> 6:       sub Login(Sender as Object, e as EventArgs) 7:          dim intId as integer = 0 8:          dim Conn as new OleDbConnection("Provider=" & _ 9:                "Microsoft.Jet.OLEDB.4.0;" & _ 10:                "Data Source=c:\ASPNET\data\banking.mdb") 11: 12:          dim objCmd as OleDbCommand = new OleDbCommand _ 13:             ("SELECT UserID from tblUsers WHERE " & _ 14:             "Username = '" & tbUserName.Text & "' " & _ 15:             "AND Password = '" & tbPassword.Text & "'", Conn) 16:          dim objReader as OleDbDataReader 17: 18:          try 19:             objCmd.Connection.Open() 20:             objReader = objCmd.ExecuteReader 21: 22:             do while objReader.Read 23:                intId = objReader.GetInt32(0).ToString 24:             loop 25:          catch ex as OleDbException 26:             lblMessage.Text = ex.Message 27:          finally 28:             objReader.Close 29:             objCmd.Connection.Close() 30:          end try 31: 32:          if intID <> 0 then 33:             FormsAuthentication.SetAuthCookie(intID, false) 34:             lblMessage.Text = "<font color=red>Success! </font><p>" 35:          else 36:             lblMessage.Text = "<font color=red>Sorry, invalid username or password!</ font><p>" 37:          end if 38:       end sub 39:    </script> 40: 41:    <html><body> 42:       <form runat="server"> 43: 44:          <asp:Label  runat="server" /> 45: 46:          Username: 47:          <asp:Textbox  runat="server" /> 48:          Password: 49:          <asp:Textbox  TextMode="password" 50:             runat="server" /><p> 51:          <asp:Button  runat="server" 52:             onClick="Login" text="Submit" /> 53:       </form> 54:    </body></html>


IOTA^_^

Top