21.8 Creating Login Pages with Web Forms Authentication
| < Day Day Up > |
TechniqueTo create a login page that uses Web Forms authentication, you Create a Web page itself then modify the Web application's web.config file so that it uses forms authentication and visitors are directed to the login page as appropriate. The design of the login page is a matter of personal preference, but typically you create a page called login.aspx , which will probably look something like Figure 21.8. Figure 21.8. A typical Web Forms login page. Once you create this page, the most significant aspect of the code is what you do in the event handler to the Login button. This event handler needs to check the username and password and authenticate the user if she is correct. One technique could look like Listing 21.4. Listing 21.4 Handling a Login Event private void BtnLogin_Click(object sender, System.EventArgs e) { // tbUsername and //tbPassword are the textbox controls, // cbRememberMe is the Remember Me checkbox if(tbUsername.Text == "simon" && tbPassword.Text == "password") { bool rememberMe = cbRememberMe.Checked; FormsAuthentication.RedirectFromLoginPage( tbUsername.Text, rememberMe); } else { //lblError is an (initially blank) label control that //can be used to display an error message lblError.Text = "Login failed. Incorrect username or password"; } } Here, we hard-coded a specific user and password check, but it's more likely that you will perform the check against some database of registered users. The key part of code is the call to the method, RedirectFromLoginPage() . It is a static method defined in the class System.Web.Security.FormsAuthentication . Calling this method does two things: It informs the ASP.NET runtime that the user has successfully logged in with the username supplied via the first parameter, and it returns control to the page the user had been trying to access, which prompts the automatic login. The second parameter passed to this method is a bool that indicates whether a permanent cookie identifying the user should persist on the browser's machine. As shown in Listing 21.4, this value is typically determined using a Remember Me or similar check box on the login page. For obvious security reasons, you want to ensure that the login page is accessed over a secure connection. Typically, you can do so by placing it in a directory that is set up in Internet Information Services (IIS) to use the HTTPS protocol. Next, you need to set up the web.config file to enable forms authentication. The relevant part of the file should look like this: <authentication mode="Forms"> <forms name="TestLoginPage1" path="/" loginUrl = "/TestLoginPage/Login.aspx"></forms> </authentication> The <authentication> tag indicates details of how we authenticate users, and setting the mode to Forms indicates we will be using a Web Form for this purpose. Then, the <forms> tag supplies a number of pieces of information, of which the main ones follow:
The documentation details a number of other optional parameters. Finally, we need to specify which users are allowed to access resources. In the simplest case ”in which we don't allow anonymous users to access any page, but we allow authenticated users to access everything ”the XML code would look like this: <authorization> <deny users="?"></deny> <allow users="*" /> <!-- Allow all users --> </authorization> Note that the string ? indicates any unauthenticated user, whereas * indicates any user. CommentsThe elements inside the <authorization> element are processed in order until an element gives a definite result about whether the current user should be authorized to access the current resource ”so the first elements always override later ones. You can set different rules for different pages either by putting pages in different directories, each with its own web.config file, or by putting the <authorization> element inside a <location> element to specify individual files. |
| < Day Day Up > |
EAN: 2147483647
Pages: 440