Read Build Your Own ASP.NET 3.5 Website Using C# & VB Online
Authors: Cristian Darie,Zak Ruvalcaba,Wyatt Barnett
Tags: #C♯ (Computer program language), #Active server pages, #Programming Languages, #C#, #Web Page Design, #Computers, #Web site development, #internet programming, #General, #C? (Computer program language), #Internet, #Visual BASIC, #Microsoft Visual BASIC, #Application Development, #Microsoft .NET Framework
B08C8C585B6D67164C163767076445D6. Here’s what your
Web.config
file would look
like if you wanted to assign the password “cristian” to the user “cristian”:
>
password="B08C8C585B6D67164C163767076445D6"
/>
After you make this change, execute your project again. When the login form appears,
enter
cristian
for the username, and
cristian
for the password, and you should
be redirected to the requested page (which, by default, is the homepage).
Hashing Passwords Programatically
I won’t insist on using Web.config because ASP.NET offers the much more
powerful option of storing credentials in the database. However, if you want to
hash passwords yourself without using an online tool, you can use the
HashForStoringInConfigFile method of the FormsAuthentication class,
which takes as parameters the cleartext password, and the hashing algorithm you
want to use—MD5 or SHA1.
5 Try the one at http://aspnetresources.com/tools/pwdhash.aspx.
Licensed to [email protected]
Security and User Authentication
567
Logging Users Out
You’ll usually want to provide users with the ability to log out once they’ve finished
browsing your site. People gain security from the knowledge that they have successfully logged out, and rightly so, since it’s possible for a hacker to take over (or spoof) an existing login while it remains active. The first step to take in order to create
logout functionality for your application is to insert a suitable control that users
can click on when they finish browsing.
The method that lets you sign out current users is the FormsAuthentication class’s
SignOut method. You could call this method in the Click event handler of a
Sign
Out
button, like this:
Visual Basic
Sub Logout(s As Object, e As EventArgs)
FormsAuthentication.SignOut()
Response.Redirect("Default.aspx")
End Sub
C#
void Logout(Object s, EventArgs e) {
FormsAuthentication.SignOut();
Response.Redirect("Default.aspx");
}
The SignOut method shown above is used to clear the authentication cookie. The
next line simply redirects the user to the homepage.
In the next section we’ll be learning about ASP.NET Memberships and Roles and
using our database to store user credentials. This means that now is a good opportunity to remove the user credentials for John and Jane (and anyone else you may have added) from our
Web.config
file before we progress.
ASP.NET Memberships and Roles
The ASP.NET team made a big step forward by implementing common functionality
that previously needed to be coded from scratch for every new web application.
This functionality includes a
membership system
, which supports the management
Licensed to [email protected]
568
Build Your Own ASP.NET 3.5 Web Site Using C# & VB
of customer accounts, login forms, user registration forms, and so on, and is divided
into several layers, each of which can be extended or modified to suit your needs.
In particular, this new membership system offers a rich set of
login controls
, which
you find in the
Login
tab of the Toolbox in Visual Web Developer. That’s right—you
can add a form for the creation of new user accounts simply by dragging a
CreateUserWizard control into a web form! ASP.NET makes implementing many
such features extremely easy, but in order to take full advantage of these controls,
we’ll need to learn about the framework on which they’re built.
Creating the Membership Data Structures
ASP.NET’s membership system stores user profile data, including membership and
personalization information, in a structured data store consisting of a set of tables,
views, and stored procedures. We’ll call these
membership data structures
, although
that name doesn’t take into account the complete range of data they contain.
To manipulate this data, Visual Web Developer provides the
ASP.NET Web Site
Administration Tool
, which lets you add and edit users and their roles, and perform
other administrative tasks.
We can use two procedures to create the necessary data structures. The first option
is simply to open the ASP.NET Web Site Administration Tool, and click the
Security
tab. When you do this for the first time, the Web Site Administration Tool will
create a database called ASPNETDB in the
App_Data
folder of your Web Application.
This database will consist of two files:
ASPNETDB.MDF
(the database file) and
ASPNETDB_LOG.LDF
(the database log file).
Let’s give this a try. With the Dorknozzle web site project loaded in Visual Web
Developer, select
Website
>
ASP.NET Configuration
. This will load a page like that
Licensed to [email protected]
Security and User Authentication
569
Figure 13.3. The ASP.NET Web Site Administration Tool
Figure 13.4. The
Security
tab
Click the
Security
tab to access the page shown in
Figure 13.4.
Licensed to [email protected]
570
Build Your Own ASP.NET 3.5 Web Site Using C# & VB
At this point you can open the
Dorknozzle\App_Data
folder, where you’ll be able to
see your new database files, as
Figure 13.5
indicates.
The ASPNETDB database is what's called a
User Instance database
, whose files are
stored locally inside your application’s folder. User instance databases are new to
Microsoft SQL Server 2005; they allow you to access database files without attaching
them to an SQL Server instance. These databases can easily be copied or transferred,
and your application can connect to them as needed.
The new ASP.NET login controls, the ASP.NET Web Site Administration Tool, and
a number of related classes are able to access the ASPNETDB database automatically,
without any configuration. Should you need to access this database through your
own code (for example, to customize the data structures), you can do so using the
special connection string LocalSqlServer.
There are two things you need to be aware of when you’re using the ASPNETDB
database:
■ Although User Instance databases were designed to be easy to move between
systems, you can’t always easily upload them to a hosting server.
■ This approach will cause your application to have to work with two databases.
In our case, the Dorknozzle site would need to use both the ASPNETDB database
and our old friend, the Dorknozzle database. Whether this is a wise choice or
not depends on the specifics of your project, and whether your site’s other data
structures need to relate to the membership data of your users.
Fortunately, you have the option to create the necessary data structures within your
existing database.
Using Your Database to Store Membership Data
In many cases, it’s more beneficial to store the membership data structures in your
own database than in the default ASPNETDB database. Indeed, for the purposes of
our application, it would be preferable to keep that data inside the existing
Dorknozzle database. This way, when we launch the project, we’ll need to transfer
only one database to the production machine, rather than having to migrate two
separate databases.
Licensed to [email protected]
Security and User Authentication
571
Figure 13.5. The ASPNETDB database files
In order to use your database to store membership data, you need to complete two
tasks:
■ Create the necessary data structures in Dorknozzle.
■ Edit
Web.config
to specify the new location of these structures, overriding the
default configuration that uses the ASPNETDB database.
You can use a tool that ships with ASP.NET,
aspnet_regsql.exe
, to customize the
data store and add the necessary structures to your own database. This tool can be
executed at the Windows command prompt, where you can include various parameters to configure it instantly for your database; alternatively, it can be run in Wizard mode, allowing you to set those options one at a time. To execute the tool,
open
aspnet_regsql.exe
, which is located in
C:\Windows\Microsoft.NET\Frame-
work\v2.0.
nnnnn
\
.
The wizard should open with a Welcome screen, where you’ll just need to click
Next
. In the next window, which is shown in
Figure 13.6
, you can choose between adding the data structures to an existing database (or to a new database that can be
created for you), or removing the data structures.
Licensed to [email protected]