Dec
21
2005
Built-in Forms Authentication - description
Posted by admin under
ASP.NET articles
As you for sure already now ASP.NET gives us developers a pretty comprehensive security and login model, and when looking at a complete solution it's pretty easy to understand and use.
However I think the model is not all that intuitive, maybe I'm getting old or just stupid, but I never seems to remember WHICH lines to put in web.config and WHERE.
So therefore this article. It's as much for me as for you readers. By writing this article, I won't have to search my existing projects for a working Form Authentication solution each time I need to implement it in a new project - instead I can surf up to this site and have a look.
Problem We want to implement a login solution to all files in directory webroot /admin/. All other pages should be public.
Solution 1. Modify web.config
<SYSTEM.WEB></SYSTEM.WEB>...
<AUTHENTICATION mode="Forms"></AUTHENTICATION>
<FORMS name="mylogin" loginurl="admin/login.aspx"></FORMS>
<AUTHORIZATION></AUTHORIZATION>
<ALLOW users="*"></ALLOW>…
These directives are available in all web.config files created though a Visual Studio project, so what we have done above is changing EXISTING ones. What does it mean:
<AUTHENTICATION mode="Forms"></AUTHENTICATION>
<FORMS name="mylogin" loginurl="admin/login.aspx"></FORMS>
Tells ASP.NET to call admin/login.aspx whenever an authentication needs to be done.
Next we tell ASP.NET which users are allowed:
<AUTHORIZATION></AUTHORIZATION><ALLOW users="*"></ALLOW>
As you can see all users are allowed. And that could not be correct, could it? Yes, it is. We want people in general to be able to access our site, except for the direcory "admin" - and that's what we are gonna do now:
<CONFIGURATION></CONFIGURATION>...
<LOCATION path="admin"></LOCATION>
<SYSTEM.WEB></SYSTEM.WEB>
<AUTHORIZATION></AUTHORIZATION>
<DENY users="?"></DENY>
NOTE that this should be put under the
-tag and not
Here we say that for a certain location (path=”admin” points out the admin subdirectory) no users are allowed (unless they are logged in that is). Now lets add the allowed users. Lets go back to the
-taggen and enter userid and password:
<AUTHENTICATION mode="Forms"></AUTHENTICATION>
<FORMS name="mylogin" loginurl="admin/login.aspx"></FORMS>
<CREDENTIALS passwordformat="Clear"></CREDENTIALS>
<USER name="kalle" password="kallepwd"></USER>
<USER name="pelle" password="pellepwd"></USER>
Now this will happen: whenever someones surfs up to the amdin-subdirectory ASP.NET will keep calling admin/login.aspx until a successful login has been made.
Lets look at login.aspx:
LOGIN.ASPX, just contains simple userid and password textboxes and a Button to login.
<table>
<tr>
<td><asp:Label id="lblID" runat="server">ID:</asp:Label></td>
<td><asp:TextBox id="txtID" runat="server"></asp:TextBox></td>
</tr>
<tr>
<td><asp:Label id="lblPwd" runat="server">Password:</asp:Label></td>
<td><asp:TextBox id="txtPwd" runat="server" TextMode="Password"></asp:TextBox></td>
</tr>
<tr>
<td colspan="2" align="center"><asp:Button id="btnLogin" runat="server" Text="Log in"></asp:Button> </td>
</tr>
</table>
<asp:Label id="LabelError" runat="server" ForeColor="Red"></asp:Label>
And lets look at the code for when the button is clicked:
private void btnLogin_Click(object sender, System.EventArgs e)
{
if ( FormsAuthentication.Authenticate(txtID.Text, txtPwd.Text) )
{ //OK
FormsAuthentication.RedirectFromLoginPage(txtID.Text,false);
}
else
{
LabelError.Text = "Error logging in";
}
}