Back to list of Articles
Security models in ASP.NET. Authentication.
Author: Sergei Baklanov aspnetman@aspnetmania.com
Windows Authentication
Forms Authentication
Forms Authentication using XML file
Forms Authentication using web.config file
Forms Authentication using database
Forms Authentication with Web services
Passport Authentication
Forms authentication using web.config file
In the previous example we stored all user data in a separate XML file, but ASP.NET provides possibility to store account information in the Web-project configuration file directly. Advantage of this method is that for its implementation much less program code is needed, because in this case developer does not need to check XML file manually to find appropriate coincidences - he just calls one function that resolves everything. To understand the principle of this mechanism's work let's turn once again to configuration file, to be more precise, to forms tag. This tag apart from described above attributes can also include <credentials> section:
Web.config:
<authentication mode=�Forms�>
<forms name=�ASP_XML_Form� loginUrl=�login.aspx� protection=�All� timeout=�30� path=�/�
requireSSL=�false� slidingExpiration=�true�>
<credentials passwordFormat=�Clear�>
<user name=�John� password=�one�/>
<user name=�Mike� password=�two�/>
<user name=�Bill� password=�three�/>
</credentials>
</forms>
</authentication>
As you can see from the listing above, credentials tag includes only one attribute - passwordFormat. This parameter defines the way to save password and takes the following values:
- Clear - the password is saved without any changes;
- SHA1 - the password is hashed using SHA1 algorithm(Secure Hash Algorithm version 1;)
- MD5 - the password is hashed using MD5 algorithm (Message Digest version 5).
If you chose any of hash algorithms, it will be impossible to store password in the initial form (plaintext format) in the configuration file - you have to hash it first and assign the result you get to password attribute. Otherwise, when ASP.NET will execute authentication, passwords simply will not match.
Now, when we have brand new identities database let's come back to the previous application and change login button click event handler on login.aspx page:
login.aspx.vb:
Private Sub btnLogin_Click(ByVal sender As Object, ByVal e As EventArgs) Handles btnLogin.Click
If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then
' If the user was found in credentials section, it means registration was
' successful
FormsAuthentication.RedirectFromLoginPage(txtName.Text, False)
Else
' Otherwise - error message is displayed
lbl.Visible = True
End If
End Sub
Now compare this code with the one that was used in the previous example. As you see, it was reduced from numerous conditions and searches to only one request, returning True or False.
We will not review now the code that works with hashed passwords not to force the events. The point is that in the 3rd section of this article that will be dedicated to cryptography, you will learn all subtleties of data hashing and encrypting and will be able to use these methods in practice.
Back to top
|
