Published on ONDotNet.com (http://www.ondotnet.com/)
 See this if you're having trouble printing code examples

ASP.NET Forms Security

by Jesse Liberty, coauthor of Programming ASP.NET, 2nd Edition

"Wow!" That is my honest opinion about the level of support built into ASP.NET 2.0 for forms-based security. To see how easy it is to provide login screens and authentication, you only need to put together a relatively small application and compare the work you have to do in 2.0 with the work you would have had to do in 1.1.

Rather than belabor the point, we'll just walk through an example using the May 2005 Community Edition available for download from Microsoft for Universal MSDN subscribers, people who went to TechEd, and a few other friends of Bill. Because some of you may not have access to Visual Studio .NET 2005, I'll provide numerous screen shots as I walk through the application.

To begin, create an empty directory called WebFormSecurity. In the IIS manager (accessed through the control panel), create a virtual directory to point to the WebFormSecurity folder, and after it is created, click Properties. In the Properties window, click on the ASP.NET tab, and then click Edit Configuration. Click on the Authentication Tab and set the Authentication Mode to Forms, as shown in Figure 1.

Figure 1.

If you return to the directory you created, you'll find that a web.config file has been created for you, with a configuration section in which the authentication mode is set to forms. Now fire up Visual Studio .NET and create a new web site named WebFormsSecurity in C#, as shown in Figure 2.

Figure 2.

ASP.NET 2.0 will create a new web site for you and will create a Default.aspx page, as well. Your goal will be to have two pages: a default page that displays different information to users who are logged in than to users who are not yet logged in, and a login page that allows the user to log in.

In order to have users log in, however, you must first create a database of users. To do so, you'll want a page that lets your users create an account. Let's start there, by creating a new page called CreateAccount.aspx. Right-click on the project and choose New Item. Create the new page, as shown in Figure 3.

Figure 3.

The Create User Wizard

Click on the design tab for your page, and then click on the Security tab in the toolbox. Drag an instance of CreateUserWizard onto your page, as shown in Figure 4.

Figure 4.

As you can see, this is a very powerful control. It prompts the user for a username, a password (twice), an email address, and a security question and answer. All of this is configurable through the HTML that is created by this control.

Click on the control and scroll through the properties to find the ContinueDestinationPageURL. Click the Browse button and choose the CreateAccount.aspx page, so that you'll be brought back to the same page after the new user is confirmed. Finally, set the CreateAccount.aspx page as your Start page, and fire up the application. You will be prompted to add a new user, as shown in Figure 5.

Figure 5.

Click the Create User button. You should see a confirmation screen and a button marked Continue. Clicking Continue will bring you back to the Create Account form to add another user. Add a few; you'll find that it won't let you enter the same username twice, that the two passwords must match, and that the required fields must have text. All of this is managed by Field Validator controls within the HTML created by the wizard control.

Programming ASP.NET

Related Reading

Programming ASP.NET
By Jesse Liberty, Dan Hurwitz

The User Database

Take a look at your solution explorer. You should now have a folder named Data with a plus mark next to it (if not, use the menu command View -> Refresh). Opening the Data folder (by clicking on the plus mark) shows that an Access database has been created for you (it is possible to change the wizard to use a SQL-server database instead). Double-clicking on the .mdb file reveals that the wizard has created quite a few useful tables for you, as shown in Figure 6.

Figure 6.

And ... presto! Instant security database. You are now ready to test whether users must log in or not. To do so, return to the default page, and drag a LogIn status control from the security panel of the toolbox onto your form. Set the default .aspx page to be the start page, and rerun the application. If you hover over the Login link, you'll see that it will take you to a page named Login.aspx. Create that page now, as a new .aspx page.

Creating A Login Page

The purpose of Login.aspx is to prompt you for your username and password. Again, all you need do on the Login.aspx page is drag a Login control from the security tab of the toolbox onto the page. The little menu that pops up next to the control allows you to pick a format. Click on Auto Format... and choose Elegant to make a nice-looking login box. Switch to HTML to see that the Login control is entirely configurable.

Before testing this, let's make sure that the default page can reflect the change as to whether or not the user is currently logged in. Return to Default.aspx and drag a LoginView object from the Security tab of the toolbox onto your form. You'll find that this control has two views controlled by templates, as shown in Figure 7.

Figure 7.

Start by setting the view to AnonymousTemplate and clicking in the box to enter some text (e.g., "You are not yet logged in.") Then switch to the LoggedInTemplate and click in the box to enter what the user will see once logged in. Type the word "Hello", and then drag in a LoginName object right into the LoginView object so that the user's name will be displayed, as shown in Figure 8.

Figure 8.

Note in Figure 8 that I've highlighted the UserName object to make it easier to see.

When you run the application, the LoginStatus object creates a hyperlink that says Login, and the LoginView object shows your anonymous text, as shown in Figure 9.

Figure 9.

Clicking on the link brings you to the Login.aspx page, displaying the login object you've created, as shown in Figure 10.

Figure 10.

Notice that the URL in Figure 10 contains a ReturnURL setting to allow the page to redirect you back to the page from which you came once you've logged in. In a more complex application, you can check that the user is not logged in from any number of other pages, and once they are logged in, return them to where they were, to continue their work.

Try entering a bogus name or an incorrect password, you'll find a polite (configurable) error message. Next enter a valid username and password, you are returned to the Default.aspx page, but this time the LoggedInTemplate is used, and the LoginStatus object offers you the ability to log out, as shown in Figure 11.

Figure 11.

That's it; web forms security and you have not written a single line of code. As I said, "Wow!"

In my next column, I'll take a look at more advanced topics in web forms security, but you can already see that the ASP.NET 2.0 team has gone a long way towards their goal of 75 percent less coding by providing robust, configurable controls that handle the common non-trivial tasks of building a web application.

Jesse Liberty is a senior program manager for Microsoft Silverlight where he is responsible for the creation of tutorials, videos and other content to facilitate the learning and use of Silverlight. Jesse is well known in the industry in part because of his many bestselling books, including O'Reilly Media's Programming .NET 3.5, Programming C# 3.0, Learning ASP.NET with AJAX and the soon to be published Programming Silverlight.

Return to ONDotnet.com

Copyright © 2009 O'Reilly Media, Inc.