ASP.NET Forms Security
Pages: 1, 2
The User Database
Take a look at your solution explorer. You should now have a folder named Data with a plus mark next to it (if not, use the menu command View -> Refresh). Opening the Data folder (by clicking on the plus mark) shows that an Access database has been created for you (it is possible to change the wizard to use a SQL-server database instead). Double-clicking on the .mdb file reveals that the wizard has created quite a few useful tables for you, as shown in Figure 6.
And ... presto! Instant security database. You are now ready to test whether
users must log in or not. To do so, return to the default page, and drag a
status control from the security panel of the toolbox onto your form. Set the
default .aspx page to be the start page, and rerun the application. If you hover
over the Login link, you'll see that it will take you to a page named Login.aspx.
Create that page now, as a new .aspx page.
Creating A Login Page
The purpose of Login.aspx is to prompt you for your username and password. Again, all you need do on the Login.aspx page is drag a Login control from the security tab of the toolbox onto the page. The little menu that pops up next to the control allows you to pick a format. Click on Auto Format... and choose Elegant to make a nice-looking login box. Switch to HTML to see that the Login control is entirely configurable.
Before testing this, let's make sure that the default page can reflect the change as to whether or not the user is currently logged in. Return to Default.aspx and drag a LoginView object from the Security tab of the toolbox onto your form. You'll find that this control has two views controlled by templates, as shown in Figure 7.
Start by setting the view to AnonymousTemplate and clicking in the box to enter some text (e.g., "You are not yet logged in.") Then switch to the LoggedInTemplate and click in the box to enter what the user will see once logged in. Type the word "Hello", and then drag in a LoginName object right into the LoginView object so that the user's name will be displayed, as shown in Figure 8.
Note in Figure 8 that I've highlighted the UserName object to make it easier to see.
When you run the application, the LoginStatus object creates a hyperlink that says Login, and the LoginView object shows your anonymous text, as shown in Figure 9.
Clicking on the link brings you to the Login.aspx page, displaying the login object you've created, as shown in Figure 10.
Notice that the URL in Figure 10 contains a
ReturnURL setting to allow the
page to redirect you back to the page from which you came once you've logged
in. In a more complex application, you can check that the user is not logged
in from any number of other pages, and once they are logged in, return them
to where they were, to continue their work.
Try entering a bogus name or an incorrect password, you'll find a polite (configurable) error message. Next enter a valid username and password, you are returned to the Default.aspx page, but this time the LoggedInTemplate is used, and the LoginStatus object offers you the ability to log out, as shown in Figure 11.
That's it; web forms security and you have not written a single line of code. As I said, "Wow!"
In my next column, I'll take a look at more advanced topics in web forms security, but you can already see that the ASP.NET 2.0 team has gone a long way towards their goal of 75 percent less coding by providing robust, configurable controls that handle the common non-trivial tasks of building a web application.
Jesse Liberty is a senior program manager for Microsoft Silverlight where he is responsible for the creation of tutorials, videos and other content to facilitate the learning and use of Silverlight. Jesse is well known in the industry in part because of his many bestselling books, including O'Reilly Media's Programming .NET 3.5, Programming C# 3.0, Learning ASP.NET with AJAX and the soon to be published Programming Silverlight.
Return to ONDotnet.com