- •Table of Contents
- •Preface
- •What is ASP.NET?
- •Installing the Required Software
- •Installing the Web Server
- •Installing Internet Information Services (IIS)
- •Installing Cassini
- •Installing the .NET Framework and the SDK
- •Installing the .NET Framework
- •Installing the SDK
- •Configuring the Web Server
- •Configuring IIS
- •Configuring Cassini
- •Where do I Put my Files?
- •Using localhost
- •Virtual Directories
- •Using Cassini
- •Installing SQL Server 2005 Express Edition
- •Installing SQL Server Management Studio Express
- •Installing Visual Web Developer 2005
- •Writing your First ASP.NET Page
- •Getting Help
- •Summary
- •ASP.NET Basics
- •ASP.NET Page Structure
- •Directives
- •Code Declaration Blocks
- •Comments in VB and C# Code
- •Code Render Blocks
- •ASP.NET Server Controls
- •Server-side Comments
- •Literal Text and HTML Tags
- •View State
- •Working with Directives
- •ASP.NET Languages
- •Visual Basic
- •Summary
- •VB and C# Programming Basics
- •Programming Basics
- •Control Events and Subroutines
- •Page Events
- •Variables and Variable Declaration
- •Arrays
- •Functions
- •Operators
- •Breaking Long Lines of Code
- •Conditional Logic
- •Loops
- •Object Oriented Programming Concepts
- •Objects and Classes
- •Properties
- •Methods
- •Classes
- •Constructors
- •Scope
- •Events
- •Understanding Inheritance
- •Objects In .NET
- •Namespaces
- •Using Code-behind Files
- •Summary
- •Constructing ASP.NET Web Pages
- •Web Forms
- •HTML Server Controls
- •Using the HTML Server Controls
- •Web Server Controls
- •Standard Web Server Controls
- •Label
- •Literal
- •TextBox
- •HiddenField
- •Button
- •ImageButton
- •LinkButton
- •HyperLink
- •CheckBox
- •RadioButton
- •Image
- •ImageMap
- •PlaceHolder
- •Panel
- •List Controls
- •DropDownList
- •ListBox
- •RadioButtonList
- •CheckBoxList
- •BulletedList
- •Advanced Controls
- •Calendar
- •AdRotator
- •TreeView
- •SiteMapPath
- •Menu
- •MultiView
- •Wizard
- •FileUpload
- •Web User Controls
- •Creating a Web User Control
- •Using the Web User Control
- •Master Pages
- •Using Cascading Style Sheets (CSS)
- •Types of Styles and Style Sheets
- •Style Properties
- •The CssClass Property
- •Summary
- •Building Web Applications
- •Introducing the Dorknozzle Project
- •Using Visual Web Developer
- •Meeting the Features
- •The Solution Explorer
- •The Web Forms Designer
- •The Code Editor
- •IntelliSense
- •The Toolbox
- •The Properties Window
- •Executing your Project
- •Using Visual Web Developer’s Built-in Web Server
- •Using IIS
- •Using IIS with Visual Web Developer
- •Core Web Application Features
- •Web.config
- •Global.asax
- •Using Application State
- •Working with User Sessions
- •Using the Cache Object
- •Using Cookies
- •Starting the Dorknozzle Project
- •Preparing the Sitemap
- •Using Themes, Skins, and Styles
- •Creating a New Theme Folder
- •Creating a New Style Sheet
- •Styling Web Server Controls
- •Adding a Skin
- •Applying the Theme
- •Building the Master Page
- •Using the Master Page
- •Extending Dorknozzle
- •Debugging and Error Handling
- •Debugging with Visual Web Developer
- •Other Kinds of Errors
- •Custom Errors
- •Handling Exceptions Locally
- •Summary
- •Using the Validation Controls
- •Enforcing Validation on the Server
- •Using Validation Controls
- •RequiredFieldValidator
- •CompareValidator
- •RangeValidator
- •ValidationSummary
- •RegularExpressionValidator
- •Some Useful Regular Expressions
- •CustomValidator
- •Validation Groups
- •Updating Dorknozzle
- •Summary
- •What is a Database?
- •Creating your First Database
- •Creating a New Database Using Visual Web Developer
- •Creating Database Tables
- •Data Types
- •Column Properties
- •Primary Keys
- •Creating the Employees Table
- •Creating the Remaining Tables
- •Executing SQL Scripts
- •Populating the Data Tables
- •Relational Database Design Concepts
- •Foreign Keys
- •Using Database Diagrams
- •Diagrams and Table Relationships
- •One-to-one Relationships
- •One-to-many Relationships
- •Many-to-many Relationships
- •Summary
- •Speaking SQL
- •Reading Data from a Single Table
- •Using the SELECT Statement
- •Selecting Certain Fields
- •Selecting Unique Data with DISTINCT
- •Row Filtering with WHERE
- •Selecting Ranges of Values with BETWEEN
- •Matching Patterns with LIKE
- •Using the IN Operator
- •Sorting Results Using ORDER BY
- •Limiting the Number of Results with TOP
- •Reading Data from Multiple Tables
- •Subqueries
- •Table Joins
- •Expressions and Operators
- •Transact-SQL Functions
- •Arithmetic Functions
- •String Functions
- •Date and Time Functions
- •Working with Groups of Values
- •The COUNT Function
- •Grouping Records Using GROUP BY
- •Filtering Groups Using HAVING
- •The SUM, AVG, MIN, and MAX Functions
- •Updating Existing Data
- •The INSERT Statement
- •The UPDATE Statement
- •The DELETE Statement
- •Stored Procedures
- •Summary
- •Introducing ADO.NET
- •Importing the SqlClient Namespace
- •Defining the Database Connection
- •Preparing the Command
- •Executing the Command
- •Setting up Database Authentication
- •Reading the Data
- •Using Parameters with Queries
- •Bulletproofing Data Access Code
- •Using the Repeater Control
- •More Data Binding
- •Inserting Records
- •Updating Records
- •Deleting Records
- •Using Stored Procedures
- •Summary
- •DataList Basics
- •Handling DataList Events
- •Editing DataList Items and Using Templates
- •DataList and Visual Web Developer
- •Styling the DataList
- •Summary
- •Using the GridView Control
- •Customizing the GridView Columns
- •Styling the GridView with Templates, Skins, and CSS
- •Selecting Grid Records
- •Using the DetailsView Control
- •Styling the DetailsView
- •GridView and DetailsView Events
- •Entering Edit Mode
- •Using Templates
- •Updating DetailsView Records
- •Summary
- •Advanced Data Access
- •Using Data Source Controls
- •Binding the GridView to a SqlDataSource
- •Binding the DetailsView to a SqlDataSource
- •Displaying Lists in DetailsView
- •More on SqlDataSource
- •Working with Data Sets and Data Tables
- •What is a Data Set Made From?
- •Binding DataSets to Controls
- •Implementing Paging
- •Storing Data Sets in View State
- •Implementing Sorting
- •Filtering Data
- •Updating a Database from a Modified DataSet
- •Summary
- •Security and User Authentication
- •Basic Security Guidelines
- •Securing ASP.NET 2.0 Applications
- •Working with Forms Authentication
- •Authenticating Users
- •Working with Hard-coded User Accounts
- •Configuring Forms Authentication
- •Configuring Forms Authorization
- •Storing Users in Web.config
- •Hashing Passwords
- •Logging Users Out
- •ASP.NET 2.0 Memberships and Roles
- •Creating the Membership Data Structures
- •Using your Database to Store Membership Data
- •Using the ASP.NET Web Site Configuration Tool
- •Creating Users and Roles
- •Changing Password Strength Requirements
- •Securing your Web Application
- •Using the ASP.NET Login Controls
- •Authenticating Users
- •Customizing User Display
- •Summary
- •Working with Files and Email
- •Writing and Reading Text Files
- •Setting Up Security
- •Writing Content to a Text File
- •Reading Content from a Text File
- •Accessing Directories and Directory Information
- •Working with Directory and File Paths
- •Uploading Files
- •Sending Email with ASP.NET
- •Configuring the SMTP Server
- •Sending a Test Email
- •Creating the Company Newsletter Page
- •Summary
- •The WebControl Class
- •Properties
- •Methods
- •Standard Web Controls
- •AdRotator
- •Properties
- •Events
- •BulletedList
- •Properties
- •Events
- •Button
- •Properties
- •Events
- •Calendar
- •Properties
- •Events
- •CheckBox
- •Properties
- •Events
- •CheckBoxList
- •Properties
- •Events
- •DropDownList
- •Properties
- •Events
- •FileUpload
- •Properties
- •Methods
- •HiddenField
- •Properties
- •HyperLink
- •Properties
- •Image
- •Properties
- •ImageButton
- •Properties
- •Events
- •ImageMap
- •Properties
- •Events
- •Label
- •Properties
- •LinkButton
- •Properties
- •Events
- •ListBox
- •Properties
- •Events
- •Literal
- •Properties
- •MultiView
- •Properties
- •Methods
- •Events
- •Panel
- •Properties
- •PlaceHolder
- •Properties
- •RadioButton
- •Properties
- •Events
- •RadioButtonList
- •Properties
- •Events
- •TextBox
- •Properties
- •Events
- •Properties
- •Validation Controls
- •CompareValidator
- •Properties
- •Methods
- •CustomValidator
- •Methods
- •Events
- •RangeValidator
- •Properties
- •Methods
- •RegularExpressionValidator
- •Properties
- •Methods
- •RequiredFieldValidator
- •Properties
- •Methods
- •ValidationSummary
- •Properties
- •Navigation Web Controls
- •SiteMapPath
- •Properties
- •Methods
- •Events
- •Menu
- •Properties
- •Methods
- •Events
- •TreeView
- •Properties
- •Methods
- •Events
- •HTML Server Controls
- •HtmlAnchor Control
- •Properties
- •Events
- •HtmlButton Control
- •Properties
- •Events
- •HtmlForm Control
- •Properties
- •HtmlGeneric Control
- •Properties
- •HtmlImage Control
- •Properties
- •HtmlInputButton Control
- •Properties
- •Events
- •HtmlInputCheckBox Control
- •Properties
- •Events
- •HtmlInputFile Control
- •Properties
- •HtmlInputHidden Control
- •Properties
- •HtmlInputImage Control
- •Properties
- •Events
- •HtmlInputRadioButton Control
- •Properties
- •Events
- •HtmlInputText Control
- •Properties
- •Events
- •HtmlSelect Control
- •Properties
- •Events
- •HtmlTable Control
- •Properties
- •HtmlTableCell Control
- •Properties
- •HtmlTableRow Control
- •Properties
- •HtmlTextArea Control
- •Properties
- •Events
- •Index
Chapter 13: Security and User Authentication
Working with Forms Authentication
By far the most popular authentication method, forms authentication is extremely flexible. With forms authentication, you get to choose where the usernames and passwords are stored: in the Web.config file, in a separate XML file, in a database, or in any combination of the three.
Forms authentication is cookie-based—each user’s login is maintained with a cookie. A browser may not access protected pages of the site unless it has a cookie that corresponds to the successful authentication of an authorized user.
You’ll most frequently use three classes from the System.Web.Security namespace as you work with forms authentication:
FormsAuthentication
contains several methods for working with forms authentication
FormsAuthenticationTicket
represents the authentication ticket that’s stored in the user’s cookie
FormsIdentity
represents the authenticated user’s identity
Let’s walk through an example that explains how a basic login page is constructed. We need to take three steps:
1.Configure the authentication mode for the application within the Web.config file.
2.Configure the authorization section to allow or deny certain users within the Web.config file.
3.Create the login page that your visitors will use.
The first step is to configure the authentication mode for the application.
Let’s hand-code an example using the Dorknozzle application. Open it in Visual Web Developer, open the Web.config file, and add the <authentication> tag shown in the following code snippet. Visual Web Developer may already have created an <authentication> tag for you with the default mode of Windows—in this case, just change the value to Forms:
532
Working with Forms Authentication
File: Web.config (excerpt)
<configuration>
<system.web>
<authentication mode="Forms" />
</system.web>
</configuration>
There are four possible values for the mode attribute: Forms, Windows, Passport, and None. Since we’re working with forms authentication, we set the mode to
Forms.
Next, set up the authorization scheme by adding the <authorization> tag:
File: Web.config (excerpt)
<authentication mode="Forms" />
<authorization> <deny users="?" />
</authorization>
As you’ll see in more detail in the next few sections, the question mark symbol (?) represents all anonymous users—that is, users who have not logged in. Essentially, this configuration reads: “Deny all non-logged-in users.” If a user tries to access a page controlled by this Web.config file without logging in, he or she will be redirected to the login page. Unfortunately, this has the side-effect of denying all unauthenticated users access to our style sheet and image files, as well. Thankfully, ASP.NET 2.0 provides a way to override Web.config settings for particular directories of your web site—the location element.
To allow anonymous users access to your App_Themes and Images folders, add the following to Web.config:
File: Web.config (excerpt)
</system.web>
<!-- Allow access to App_Themes directory --> <location path="App_Themes">
<system.web>
<authorization> <allow users="?"/>
</authorization>
</system.web>
</location>
<!-- Allow access to Images directory -->
533
Chapter 13: Security and User Authentication
<location path="Images"> <system.web>
<authorization> <allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Now, all we need do is create that login page.
Create a new page named Login.aspx, which uses a code-behind file, and is based on the Dorknozzle.master master page. Then, modify its title and content placeholders like this:
File: Login.aspx
<%@ Page Language="VB" MasterPageFile="~/DorkNozzle.master" AutoEventWireup="false" CodeFile="Login.aspx.vb" Inherits="Login" Title="Dorknozzle Login" %>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
<h1>Login</h1>
</asp:Content>
If you execute the project now, you’ll notice that no matter which link you click, you’ll be redirected to the blank Login page shown in Figure 13.1.
Naming the Login Page
Note that we didn’t need to specify the name of the login page, Login.aspx, anywhere. By default, unless you specify another form name, ASP.NET will assume that the login page is called Login.aspx.
Authenticating Users
You’re secured. Anonymous users can’t see your application’s pages, and are automatically redirected to the login page. Now what? How do you create users, give them privileges, store their settings, and so on? Well, it depends.
All versions of ASP.NET can store user account data, and details of the resources each user can access, in the Web.config file. However, relying only on the
Web.config file isn’t particularly helpful when the users’ account settings need to be easily configurable: you can’t keep modifying the configuration file to register new users, modify user passwords, and so on.
534
Working with Forms Authentication
Figure 13.1. The Login page
As you probably already suspect, a real user management solution must use the database somehow. Storing authentication and authorization data—such as user accounts, roles, and privileges—in the database gives you much greater flexibility in the long run.
Let’s analyze both possibilities. By the end of the chapter, we’ll have implemented a user authentication and authorization system using the new ASP.NET 2.0 membership features.
Working with Hard-coded User Accounts
Hard-coding user accounts means keeping user data in the code-behind file. This solution should never, ever be used in any application, but it will make things easier for us as we work through the first few examples.
To start off, let’s build a login form that contains a TextBox into which the user can enter a username, another TextBox for the password, and a Button for submitting the data to the server. Add this code after the Login heading in Login.aspx:
535
Chapter 13: Security and User Authentication
File: Login.aspx (excerpt)
<p>Username:<br />
<asp:TextBox id="username" runat="server" /> </p>
<p>Password:<br />
<asp:TextBox id="password" runat="server" TextMode="Password" /> </p>
<p><asp:Button id="submitButton" runat="server" Text="Login" OnClick="LoginUser" /></p>
As you can see, the page contains two TextBox controls, one of which has the TextMode set to Password, which means that an asterisk will display for each character that a user types into this field. The other is a Button control, the OnClick attribute for which calls the LoginUser method. Next, we’ll add the serverside script for this method, which will validate the login credentials. Add the following code to your code-behind file:
Visual Basic File: Login.aspx.vb
Partial Class Login Inherits System.Web.UI.Page
Sub LoginUser(ByVal s As Object, ByVal e As EventArgs)
If (username.Text = "username" And _
password.Text = "password") Then
FormsAuthentication.RedirectFromLoginPage(username.Text, _
False)
End If
End Sub |
|
End Class |
|
C# |
File: Login.aspx.cs |
public partial class Login : System.Web.UI.Page+
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void LoginUser(Object s, EventArgs e)
{
if (username.Text == "username" && password.Text == "password")
{
FormsAuthentication.RedirectFromLoginPage(username.Text,
false);
}
}
}
536
Working with Forms Authentication
Execute your project and you’ll see the simple, yet functional, login page shown in Figure 13.2.
Figure 13.2. The simple Dorknozzle Login page
In the code above, the If statement is used to check whether or not the user typed in the correct username and password. If the username and password entered were username and password, respectively, we call the
FormsAuthentication class’s RedirectFromLoginPage method, passing in two parameters.
The first parameter is the username that will be stored in the authentication ticket (the cookie that’s sent to the user’s browser). We’ll simply use the username entered into the form for this example. The second parameter is a Boolean value that indicates whether a persistent cookie should be created. By setting this value to True, you allow your users to close their browsers, open them again, navigate back to your site, and still be logged in to the application. Setting this value to False allows users to be logged in only as long as their browser windows remain
537