Using Forms Authentication
In the last example, I used Windows authentication for my ASP.NET web application. While this is useful for intranet applications, a better way to authenticate external users would be to use forms authentication. In this section, I will show you how to use personalization together with forms authentication.
Add a new folder to your project (right-click your project name in Solution Explorer and select New Folder) and name it "Members." Move the default.aspx page created in the previous section into the Members folder. Add a new web configuration file to the Members folder. Finally, add a new web form to your project and name it login.aspx (see Figure 7). Populate the form with the Login control.
Figure 7. The login.aspx page with the Login control
Your Solution Explorer should look like Figure 8.
Figure 8. Files and folders in Solution Explorer
Change the authentication mode from Windows to Forms in web.config (1) and specify the login page for the site as login.aspx:
<authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="Validation" timeout="999999" /> </authentication>
In web.config (2), add in the following:
<system.web> <authorization> <deny users="?" /> </authorization> ...
Essentially, this means that all anonymous users will be denied access to the Members folder.
Let's add a new user to the web site. To do so, go to Website -> ASP.NET Configuration in Visual Studio 2005, and under the Users section, click on Create user. In Figure 9, I have entered a user name.
Figure 9. Adding a new user to the site
You are now ready to test the application.
Load the default.aspx page located in the Members folder using a web browser. Since all unauthenticated users are denied access, you will be redirected to the login.aspx page. Log in using the user name that you have just created, and you will see the default.aspx page. As usual, enter your first and last names and click on the Save button.
Let's now examine the
aspnet_Profile table again (see Figure 10). This time around, you will see a second row in the table. This row belongs to the "WeiMengLee" user, which is the user name you used to log in. Contrast this to the Windows user name "WINXP\Wei-Meng Lee" used in the earlier example (using Windows authentication).
Figure 10. Examining the
You might wonder what happens if the file default.aspx is located outside of the Members folder and a user accesses it directly without logging in. Figure 11 shows the location of default.aspx.
Figure 11. Moving default.aspx out of the Members folder
If default.aspx is accessed directly when the user has not yet been authenticated, trying to set the Profile properties will result in a run time error. This is because ASP.NET requires an ID to identify the user. Personalization for a user that has not yet been authenticated is known as anonymous personalization. The next section will discuss this in more detail.