How to Implement Forms Authentication Provider in .NET.NET supports three different authentication providers namely Windows Authentication Provider, Forms Authentication Provider and Passport Authentication Provider. Out of these three providers, Forms Authentication Provider provides more freedom to the developers. Windows Authentication and Passport Authentication have predefined set of users and login controls available. Only those credentials can be used and no additional User related details can be recorded. But when using Forms Authentication Provider, you are the Owner. You can design your own screen, add as many User specific details you require and you can store User credentials either in a file or database or any other storage media as you prefer. Moreover, Forms Authentication Provider works with any browser without including any additional browser specific code in your application.
After reading
this step-by-step procedure below, you will be confident enough in implementing
Forms Authentication Provider in your application. Configure
Forms Authentication in Your Application How will
your application know which Authentication Provider to use? This is based
on an entry in web.config file. If your application uses Forms Authentication
Provider, then web.config file should include: <authentication
mode=”Forms”></authentication> Within this
authentication tag, you can specify form configuration options which will
in turn override the default settings of machine.config file. Few such
configuration options are mentioned below: <authentication
mode=”Forms”> Configure
IIS to Permit Anonymous Users Ensure that
IIS permits anonymous users who are then validated based on the user credentials
they enter in your login page. Restrict
Anonymous Users in Your Application Since anonymous
users are permitted by IIS, if they are not restricted in your application
then security cannot be ensured. Hence, deny access to anonymous users
and redirect them to the login page you have created. If they have valid
credentials, then their cookie will be generated and they can access the
requested page. You can deny access to anonymous users by including the
following lines inside <system.web> of web.config file: <authorization> The wild
card character “?” will recognize all anonymous users and deny
access to them. Create
Login Screen Anonymous
User will now be redirected to the Login Screen you have created. While
designing login screen use validation controls to ensure validity of user
credentials. For example, use validation controls to ensure that user
enters only characters A to Z, a to z, numerals 0 to 9 in txtUser textbox.
Write
Authentication Code for Login Assume that
you have two textboxes txtUser, txtPwd and a button named LoginButton
in your login screen. Write the following piece of code inside the click
event of LoginButton. Page.Validate(
); This block
of code will validate the user. If the User credentials are valid then
the User is redirected to the requested page. If not, appropriate error
message is thrown. If the first two lines of code are not included then
validation will not happen if javascript is not enabled or supported by
your browser. Authenticate method returns true if the user credentials
are valid. RedirectFromLoginPage creates the cookie, associates it with
the HTTPResponse and redirects the User to the requested page. The cookie
that gets created can either be persistent or non-persistent. Non-persistent
cookies are removed when user closes your application browser or wheen
timeout occurs. Persistent Cookies will maintain user information across
multiple visits. The above example creates a non-perssistent cookie. To
create persistent cookie, the second argument of the method RedirectFromLoginPage
must be set to true: Store
User Credentials You can store
User credentials in web.config file or in a database. If your application
has more number of users and additional information about the User has
to be maintained, then database storage will be the right solution. Moreover,
when data is stored in web.config file, it is not secure. The above example
(Login Button’s click event code) assumes that User Credentials are
stored in web.config file. Write
Code for Logout Operation When you
are using Forms Authentication, logout can happen using a single line
of code: FormsAuthentication.SignOut(). Include this line inside the click
event of logout button. Non-persistent cookies expire when timeout reaches
or when the browser is closed. But persistent cookies expire only when
this method is called. The advantage
of Form Authentication discussed earlier in this article is its disadvantage
as well. Other providers have a predefined login module but here you have
to develop one. Though this is advantageous, you have additional work
compared to using other providers. The additional
work is in terms of developing of your own login module and ensuring security
of data across networks and while storage. However, this work overhead
can be reduced to an extent by using Membership API which provides a pre-defined
login module along with the storage facility in SQL Server. Consider this
work overhead when you are making decision on using Forms Authentication
Provider for your application.
_______________________________________________________________________
FREE
Subscription
Subscribe
to our mailing list and receive new articles Note
: We never rent, trade, or sell my email lists to Visit
.NET Programming Tutorial Homepage ______________________________________________________ |
