Back to list of Articles
Security models in ASP.NET. Authentication.
Author: Sergei Baklanov aspnetman@aspnetmania.com
Windows Authentication
Forms Authentication
Forms Authentication using XML file
Forms Authentication using web.config file
Forms Authentication using database
Forms Authentication with Web services
Passport Authentication
Forms Authentication using XML file
Now let's create simple login page (for users registration) which compares entered user name and password with the data from XML file. First create XML file named users.xml as follows:
users.xml:
<?xml version=�1.0� encoding=�utf-8� ?>
<users>
<user>
<name>John</name>
<password>one</password>
</user>
<user>
<name>Mike</name>
<password>two</password>
</user>
<user>
<name>Bill</name>
<password>three</password>
</user>
</users>
User database is ready - now we can start creating test user registration project. Below is the sourcecode:
Default.aspx:
<%@ Page Language=�vb� AutoEventWireup=�false� Codebehind=�default.aspx.vb� Inherits=�FormAuth._default�%>
<!DOCTYPE HTML PUBLIC �-//W3C//DTD HTML 4.0 Transitional//EN�>
<html>
<head>
<title>default</title>
<meta name=�GENERATOR� content=�Microsoft Visual Studio .NET 7.1�>
<meta name=�CODE_LANGUAGE� content=�Visual Basic .NET 7.1�>
<meta name=vs_defaultClientScript content=�JavaScript�>
<meta name=vs_targetSchema content=�http://schemas.microsoft.com/intellisense/ie5�>
</head>
<body MS_POSITIONING=�GridLayout�>
<form id=�Form1� method=�post� runat=�server�>
</form>
</body>
</html>
Default.aspx.vb:
Imports System.Web.Security
Public Class _default
Inherits System.Web.UI.Page
#Region � Web Form Designer Generated Code �
�This call is required by the Web Form Designer.
<System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
End Sub
�NOTE: The following placeholder declaration is required by the Web Form Designer.
�Do not delete or move it.
Private designerPlaceholderDeclaration As System.Object
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Init
�CODEGEN: This method call is required by the Web Form Designer
�Do not modify it using the code editor.
InitializeComponent()
End Sub
#End Region
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
�Put user code to initialize the page here
If context.Current.User.Identity.Name = �� Then
Response.Redirect(�login.aspx�)
Else
Response.Write(�<h2><I>Hello � & context.Current.User.Identity.Name & �</I></h2>�)
End If
End Sub
End Class
login.aspx:
<%@ Page Language=�vb� AutoEventWireup=�false� Codebehind=�login.aspx.vb� Inherits=�FormAuth.WebForm1�%>
<!DOCTYPE HTML PUBLIC �-//W3C//DTD HTML 4.0 Transitional//EN�>
<HTML>
<HEAD>
<title>Registration</title>
<meta name=�GENERATOR� content=�Microsoft Visual Studio .NET 7.1�>
<meta name=�CODE_LANGUAGE� content=�Visual Basic .NET 7.1�>
<meta name=�vs_defaultClientScript� content=�JavaScript�>
<meta name=�vs_targetSchema� content=�http://schemas.microsoft.com/intellisense/ie5�>
</HEAD>
<body MS_POSITIONING=�GridLayout�>
<form id=�Form1� method=�post� runat=�server�>
<table border>
<tr>
<td>Name</td>
<td><asp:TextBox ID=�txtName� Runat=server></asp:TextBox></td>
</tr>
<tr>
<td>Password</td>
<td><asp:TextBox ID=�txtPassword� Runat=server TextMode=Password>
</asp:TextBox></td>
</tr>
<tr>
<td colspan=2 align=right><asp:Button ID=�btnLogin� Text=�Login�
Runat=server></asp:Button></td>
</tr>
</table>
<p><asp:Label ID=�lbl� Runat=server Visible=False ForeColor=Maroon Font-Bold=True>
Authentication failed</asp:Label></p>
</form>
</body>
</HTML>
login.aspx.vb:
Imports System.Xml
Imports System.Web.Security
Public Class WebForm1
Inherits System.Web.UI.Page
Protected WithEvents txtName As System.Web.UI.WebControls.TextBox
Protected WithEvents txtPassword As System.Web.UI.WebControls.TextBox
Protected WithEvents lbl As System.Web.UI.WebControls.Label
Protected WithEvents btnLogin As System.Web.UI.WebControls.Button
#Region " Web Form Designer Generated Code "
'This call is required by the Web Form Designer.
<System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
End Sub
'NOTE: The following placeholder declaration is required by the Web Form Designer.
'Do not delete or move it.
Private designerPlaceholderDeclaration As System.Object
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Init
'CODEGEN: This method call is required by the Web Form Designer
'Do not modify it using the code editor.
InitializeComponent()
End Sub
#End Region
Private Sub btnLogin_Click(ByVal sender As Object, ByVal e As EventArgs) Handles btnLogin.Click
Dim xd As New XmlDocument, xr As XmlNodeReader
Dim sName As String, sPass As String
' Opening XML file
xd.Load(Server.MapPath("users.xml"))
' Activate XmlNodeReader
xr = New XmlNodeReader(xd.Item("users"))
' Look for the user we need
While xr.Read
If xr.Name = "name" And xr.NodeType = XmlNodeType.Element Then
sName = xr.ReadString
' If username is wrong, go to the next
If sName <> txtName.Text Then xr.Skip()
ElseIf xr.Name = "password" And xr.NodeType = XmlNodeType.Element Then
If xr.ReadString() = txtPassword.Text Then
' If passwords are the same, it means authentication was succesfull
FormsAuthentication.RedirectFromLoginPage(txtName.Text, True)
Else
' If no, go to another user
xr.Skip()
End If
End If
End While
' If this line is executable, then user data were entered incorrectly
lbl.Visible = True
End Sub
End Class
Now let's have a post-mortem debate: the code above consists of 2 pages. All actions start on the default.aspx page, when we check if current user has a name:
If context.Current.User.Identity.Name = �� Then
Response.Redirect(�login.aspx�)
Else
Response.Write(�<h2><I>Hello � & context.Current.User.Identity.Name & �</I></h2>�)
End If
If he does, then greeting will be displayed, otherwise - the user will be redirected to the login page login.aspx, where he will be asked to enter his name and password. Entered data will be compared with the data from XML file. If user is not found, error message will be displayed (fig. 3), otherwise he will be successfully redirected to source page default.aspx, which would greet him after finding out that the name of the current user is defined.
If you passed authentication successfully and the greeting appeared, then close browser window and try to restart default.aspx page. You will immediately see the greeting to that user whose name was entered last. The explanation is the following - while registration we saved cookie-file on the client machine. It took place when we called RedirectFromLoginPage function, and set its CreatePersistentCookie parameter to True:
FormsAuthentication.RedirectFromLoginPage(txtName.Text, True)
In order to prevent cookie-file transfer it is enough to call this function with CreatePersistentCookie parameter set to False. Or there is another way - on default.aspx page add page unload event handler with the following code:
Private Sub Page_Unload(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.Unload
FormsAuthentication.SignOut()
End Sub
As a result, after main page unload the user will be registered upon sign-out.
Back to top
|
