Build Your Own ASP.NET 3.5 Website Using C# & VB (97 page)

B08C8C585B6D67164C163767076445D6. Here’s what your
Web.config
file would look

like if you wanted to assign the password “cristian” to the user “cristian”:

passwordFormat="MD5"
>

password="B08C8C585B6D67164C163767076445D6"
/>

After you make this change, execute your project again. When the login form appears,

enter
cristian
for the username, and
cristian
for the password, and you should

be redirected to the requested page (which, by default, is the homepage).

Hashing Passwords Programatically

I won’t insist on using Web.config because ASP.NET offers the much more

powerful option of storing credentials in the database. However, if you want to

hash passwords yourself without using an online tool, you can use the

HashForStoringInConfigFile method of the FormsAuthentication class,

which takes as parameters the cleartext password, and the hashing algorithm you

want to use—MD5 or SHA1.

5 Try the one at http://aspnetresources.com/tools/pwdhash.aspx.

Licensed to [email protected]

Security and User Authentication

567

Logging Users Out

You’ll usually want to provide users with the ability to log out once they’ve finished

browsing your site. People gain security from the knowledge that they have successfully logged out, and rightly so, since it’s possible for a hacker to take over (or spoof) an existing login while it remains active. The first step to take in order to create

logout functionality for your application is to insert a suitable control that users

can click on when they finish browsing.

The method that lets you sign out current users is the FormsAuthentication class’s

SignOut method. You could call this method in the Click event handler of a
Sign

Out
button, like this:

Visual Basic

Sub Logout(s As Object, e As EventArgs)

FormsAuthentication.SignOut()

Response.Redirect("Default.aspx")

End Sub

C#

void Logout(Object s, EventArgs e) {

FormsAuthentication.SignOut();

Response.Redirect("Default.aspx");

}

The SignOut method shown above is used to clear the authentication cookie. The

next line simply redirects the user to the homepage.

In the next section we’ll be learning about ASP.NET Memberships and Roles and

using our database to store user credentials. This means that now is a good opportunity to remove the user credentials for John and Jane (and anyone else you may have added) from our
Web.config
file before we progress.

ASP.NET Memberships and Roles

The ASP.NET team made a big step forward by implementing common functionality

that previously needed to be coded from scratch for every new web application.

This functionality includes a
membership system
, which supports the management

Licensed to [email protected]

568

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

of customer accounts, login forms, user registration forms, and so on, and is divided

into several layers, each of which can be extended or modified to suit your needs.

In particular, this new membership system offers a rich set of
login controls
, which

you find in the
Login
tab of the Toolbox in Visual Web Developer. That’s right—you

can add a form for the creation of new user accounts simply by dragging a

CreateUserWizard control into a web form! ASP.NET makes implementing many

such features extremely easy, but in order to take full advantage of these controls,

we’ll need to learn about the framework on which they’re built.

Creating the Membership Data Structures

ASP.NET’s membership system stores user profile data, including membership and

personalization information, in a structured data store consisting of a set of tables,

views, and stored procedures. We’ll call these
membership data structures
, although

that name doesn’t take into account the complete range of data they contain.

To manipulate this data, Visual Web Developer provides the
ASP.NET Web Site

Administration Tool
, which lets you add and edit users and their roles, and perform

other administrative tasks.

We can use two procedures to create the necessary data structures. The first option

is simply to open the ASP.NET Web Site Administration Tool, and click the
Security

tab. When you do this for the first time, the Web Site Administration Tool will

create a database called ASPNETDB in the
App_Data
folder of your Web Application.

This database will consist of two files:
ASPNETDB.MDF
(the database file) and

ASPNETDB_LOG.LDF
(the database log file).

Let’s give this a try. With the Dorknozzle web site project loaded in Visual Web

Developer, select
Website
>
ASP.NET Configuration
. This will load a page like that

shown in Figure 13.3.

Licensed to [email protected]

Security and User Authentication

569

Figure 13.3. The ASP.NET Web Site Administration Tool

Figure 13.4. The
Security
tab

Click the
Security
tab to access the page shown in
Figure 13.4.

Licensed to [email protected]

570

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

At this point you can open the
Dorknozzle\App_Data
folder, where you’ll be able to

see your new database files, as
Figure 13.5
indicates.

The ASPNETDB database is what's called a
User Instance database
, whose files are

stored locally inside your application’s folder. User instance databases are new to

Microsoft SQL Server 2005; they allow you to access database files without attaching

them to an SQL Server instance. These databases can easily be copied or transferred,

and your application can connect to them as needed.

The new ASP.NET login controls, the ASP.NET Web Site Administration Tool, and

a number of related classes are able to access the ASPNETDB database automatically,

without any configuration. Should you need to access this database through your

own code (for example, to customize the data structures), you can do so using the

special connection string LocalSqlServer.

There are two things you need to be aware of when you’re using the ASPNETDB

database:

■ Although User Instance databases were designed to be easy to move between

systems, you can’t always easily upload them to a hosting server.

■ This approach will cause your application to have to work with two databases.

In our case, the Dorknozzle site would need to use both the ASPNETDB database

and our old friend, the Dorknozzle database. Whether this is a wise choice or

not depends on the specifics of your project, and whether your site’s other data

structures need to relate to the membership data of your users.

Fortunately, you have the option to create the necessary data structures within your

existing database.

Using Your Database to Store Membership Data

In many cases, it’s more beneficial to store the membership data structures in your

own database than in the default ASPNETDB database. Indeed, for the purposes of

our application, it would be preferable to keep that data inside the existing

Dorknozzle database. This way, when we launch the project, we’ll need to transfer

only one database to the production machine, rather than having to migrate two

separate databases.

Licensed to [email protected]

Security and User Authentication

571

Figure 13.5. The ASPNETDB database files

In order to use your database to store membership data, you need to complete two

tasks:

■ Create the necessary data structures in Dorknozzle.

■ Edit
Web.config
to specify the new location of these structures, overriding the

default configuration that uses the ASPNETDB database.

You can use a tool that ships with ASP.NET,
aspnet_regsql.exe
, to customize the

data store and add the necessary structures to your own database. This tool can be

executed at the Windows command prompt, where you can include various parameters to configure it instantly for your database; alternatively, it can be run in Wizard mode, allowing you to set those options one at a time. To execute the tool,

open
aspnet_regsql.exe
, which is located in
C:\Windows\Microsoft.NET\Frame-

work\v2.0.
nnnnn
\
.

The wizard should open with a Welcome screen, where you’ll just need to click

Next
. In the next window, which is shown in
Figure 13.6
, you can choose between adding the data structures to an existing database (or to a new database that can be

created for you), or removing the data structures.

Licensed to [email protected]