Build Your Own ASP.NET 3.5 Website Using C# & VB (99 page)

viewing the
Security
tab, click the
Select authentication type
link. You’ll see two options:
From the Internet

You would normally have to select this option to enable forms authentication,

but since you have already selected that type of authentication by editing your

application’s
Web.config
file, you’ll find this option is already selected. However,

in future, you might want to use this tool to set your preferred authentication

type, instead of editing the file manually.

Licensed to [email protected]

Security and User Authentication

577

From a local network

Had we not specified forms authentication in the
Web.config
file, this option,

which selects Windows authentication—ASP.NET’s default—would have been

selected. If you were to re-select this option at this stage, the tool would remove

the tag from your
Web.config
file, restoring the default setting. Leave the
From the Internet
option selected, and click
Done
to return to the
Security
tab.

The
Provider
tab allows you to change the data provider that’s used to store the security data. Currently, you can only choose AspNetSqlProvider, which uses SQL

Server to store the membership data.

The
Application
tab shown in
Figure 13.10 lets you create and manage application

settings. You will find particularly useful the Application Settings tab, which lets

you define name-value pairs to be stored in the
Web.config
file. For example, you

might want to add a setting named AdminEmail, which contains an email address

that can be used by your application to send important administration messages,

as shown in
Figure 13.11.

Figure 13.11. Adding an application setting

Licensed to [email protected]

578

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

Figure 13.10. Managing application settings

We’ve already learned to use
Web.config
to store connection strings within a dedicated tag. Similarly, ASP.NET supports an tag in the same file for the purpose of storing general application settings.

If you click
Save
, the administration tool will store the setting in your application’s
Web.config
file:

To access this data, you need to use the ConfigurationManager class, which is

located in the System.Configuration namespace, like this:

Visual Basic

adminEmail = ConfigurationManager.AppSettings("AdminEmail")

Licensed to [email protected]

Security and User Authentication

579

C#

adminEmail = ConfigurationManager.AppSettings["AdminEmail"];

Creating Users and Roles

Open the ASP.NET web site, click the
Security
tab, and click
Enable Roles
under the
Roles
section. This will add the following line to your
Web.config
file:

Dorknozzle\VB\10_web.config
(excerpt)

Two new links will appear under
Roles
:
Disable Roles
, and
Create or Manage Roles
. Click
Create or Manage Roles
, and use the form shown in
Figure 13.12 to create two

roles: one named
Users
, and another named
Administrators
.

Figure 13.12. Creating roles

Licensed to [email protected]

580

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

Figure 13.13. Creating the admin account

Click the
Security
tab to return to the main
Security
window. Now click the
Create
user
link and add a user named
admin
, whose password is
Dorknozzle!
. Check the checkbox to assign this user the
Administrators
role, and complete the other fields

shown in Figure 13.13, which are not optional.

Previously, the settings you specified using the ASP.NET Web Site Administration

Tool always affected the
Web.config
file. Not this time, though! In accordance with

the connection string in
Web.config
, roles and users are stored directly in the membership data structures that we added to the Dorknozzle database.
Changing Password Strength Requirements

By default, you won’t be allowed to enter passwords that aren’t considered sufficiently secure. The default security requirements for AspNetSqlMembershipProvider, as defined in
machine.config
, require the password to be at least seven characters

long, and to include at least one non-alphanumeric character (which is why the

Licensed to [email protected]

Security and User Authentication

581

exclamation mark was included in the example above). Also, passwords are stored

in a hashed format by default.

To change the password strength requirements, we must override the default settings

for the AspNetSqlMembershipProvider by adding a tag to the

Web.config
file. As you might expect, we must first remove the default settings inherited from
machine.config
, then define our own settings:
Dorknozzle\VB\11_web.config
(excerpt)

⋮

type="System.Web.Security.SqlMembershipProvider"

connectionStringName="LocalSqlServer"

enablePasswordRetrieval="false"

enablePasswordReset="true"

requiresQuestionAndAnswer="false"

applicationName="/"

requiresUniqueEmail="false"

passwordFormat="Hashed"

maxInvalidPasswordAttempts="10"

minRequiredPasswordLength="7"

minRequiredNonalphanumericCharacters="0"

passwordAttemptWindow="10" />

⋮

The settings in the example above are self-explanatory. For example, we’ve increased

the maxInvalidPasswordAttempts from the default of 5 to 10, to help many users

avoid being locked out of their accounts if they repeatedly enter an incorrect password. We’ve also removed the constraint that required us to have at least one alphanumeric character in the password, and the function that facilitated lost password retrieval by means of a secret question and answer.

Licensed to [email protected]