Using Membership API for Secured Coding in .NET

If you are using Form Based Authentication Provider you have to create your own login screen, write logic to perform authentication, create database and necessary tables for storage, and ensure confidentiality and integrity of user credentials.

Though Form Based Authentication is advantageous, performing the above mentioned tasks has a considerable work overhead. Is there any way to minimize this work? Yes, Membership API solves your purpose. Membership API implements login page and storage for you.

Membership API Architecture

CHART

In Form Based Authentication, the first task is to create a login page. Even when you use Membership API, you have to create your own login page but you can do it by simply including certain controls in your page. Those controls will in turn perform the task and they are termed as Security Controls. Few Security Controls are Login Control, LoginStatus Control, LoginView Control, PasswordRecovery Control, ChangePassword Control and CreateUserWizard Control. Login control will display textboxes for username, password and a login button. It also performs the validation for you. Similarly all other controls have a specific purpose.

On click of the login button, how does the validation happen? Login Control coordinates with the Membership API classes which have a membership provider communicating with the database and providing the output. The database is maintained in the membership store. All that you will be aware of is the usage of security controls and membership API. Communication across membership providers and membership store are hidden.

Configuring and Using Membership API

For using Membership API, you have to perform the following configuration:

Configure Forms Authentication: To configure forms authentication and to ensure restricted access for anonymous users, make the following entry in web.config file:

<system.web>
<authentication mode=”Forms” />
<authorization>
<deny users = “?” />
</authorization>
</system.web>

Create Membership Data Store: Membership Provider has to interact with the data store to perform authentication. Hence this data store has to be configured and necessary tables have to be created in it. If you are using SQL Server as your application’s database, then you can easily create the data store and its corresponding tables by executing aspnet_regsql.exe.

Configure Connection String: If you are using the default configuration along with SQL Server 2005, both Membership Provider and Connection String are automatically created. If not, then you have to configure connection string in web.config file as below:

<connectionStrings>
<add name=”sampleConnectionString” connectionString= “data source = (local);
Integrated Security=”SSPI”; initial catalog = “sampleDatabase” />
</connectionStrings>

You have to place this section after configuration section.

Configure Membership Provider: you have to configure Membership Provider inside system.web section of web.config file.

<membership defaultProvider=”provider1”>
<providers>
<add name=”provider1”
connectionStringName=”sampleConnectionString”
applicationName=”sampleApp”
requiresQuestionAndAnswer=”false”
passwordFormat=”Encrypted”
type=”System.Web.Security.SqlMembershipProvider” />
<add name=”provider2”
… />
</providers>
</membership>

The “add” tag can also include many other properties like RequiresUniqueEmail, MinRequiredPasswordLength, EnablePasswordReset.

Creating and Authenticating Users: You can now create and authenticate users by using the Membership API and its methods, which are dealt in detail in the section below.

Using Membership API in Code

Membership API has components like Membership, MembershipProvider, MembershipUser, MembershipUserCollection and many more. Each of these classes has many methods defined. Given below are few of these classes and its associated methods to achieve basic authentication.

Create Users: CreateUser command of Membership API is used to create users. However the parameters passed to it vary depending on the provider’s configuration. Few providers accept just the username and password. Few other providers also ask for secret question and answer while configuring the user. Given below is an example of user creation accepting only username and password. MembershipCreateStatus class is used along with Membership API to provide information on the status of user creation.

MembershipCreateStatus outputStatus;
Membership.CreateUser(txtUserName.Text, txtPassword.Text, true, out outputStatus);

Delete Users: Use Membership.Delete method passing the username as argument.

Retrieve Users from the Store: Use the following lines of code to retrieve all users:

MembershipUserCollection userList;
userList = Membership.GetAllUsers();
You can then assign it to a grid view which can display it on the page. For example:
sampleGrid.DataSource = userList;

Update User: You can select a user record from the sampleGrid constructed above and update it using the following lines of code:

string userSelected = (string) sampleGrid.SelectedValue;
MembershipUser userForUpdate = userList[userSelected];
userForUpdate.secretQuestion = txtSecretQuestion.Text;
userForUpdate.secretAnswer = txtSecretAnswer.Text;
Membership.UpdateUser(userForUpdate);

Validate User: User has to be redirected to the main page only if the user is authenticated. You can accomplish this validation using the following lines of code:
if (Membership.ValidateUser(txtUserName.Text,txtPassword.Text)){
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
}
else{
MessageBox.show(“Invalid User Name or Password”);
}

Remember that Membership API is used only for authentication. It doesn’t help you in authorization. If you want API for managing roles and performing authorization, then use Roles API.

_______________________________________________________________________

Add to My Yahoo!


FREE Subscription

Subscribe to our mailing list and receive new articles
through email. Keep yourself updated with latest
developments in the industry.

Name:
Email:

Note : We never rent, trade, or sell my email lists to
anyone. We assure that your privacy is respected
and protected.

Visit .NET Programming Tutorial Homepage

______________________________________________________

Recommended Resource

| Additional Ways of Ensuring Security in .NET | Memory Lifecycle in .NET – An Overview | Few Best Coding Practices for ASP .NET | Handling Session Efficiently Using SQLSERVER State Management in .NET | How to Restrict a Program to Single Instance in .NET? | How to Use Structured Exception Handling in .NET | Understanding Boxing Versus Unboxing in .NET | Understanding Different Levels of Security in .NET | Understanding the Disadvantages of Memory Management in .NET | Using Membership API for Secured Coding in .NET |


| Privacy Policy for www.dotnet-guide.com | Disclosure | Contact |