- •Table of Contents
- •Preface
- •What is ASP.NET?
- •Installing the Required Software
- •Installing the Web Server
- •Installing Internet Information Services (IIS)
- •Installing Cassini
- •Installing the .NET Framework and the SDK
- •Installing the .NET Framework
- •Installing the SDK
- •Configuring the Web Server
- •Configuring IIS
- •Configuring Cassini
- •Where do I Put my Files?
- •Using localhost
- •Virtual Directories
- •Using Cassini
- •Installing SQL Server 2005 Express Edition
- •Installing SQL Server Management Studio Express
- •Installing Visual Web Developer 2005
- •Writing your First ASP.NET Page
- •Getting Help
- •Summary
- •ASP.NET Basics
- •ASP.NET Page Structure
- •Directives
- •Code Declaration Blocks
- •Comments in VB and C# Code
- •Code Render Blocks
- •ASP.NET Server Controls
- •Server-side Comments
- •Literal Text and HTML Tags
- •View State
- •Working with Directives
- •ASP.NET Languages
- •Visual Basic
- •Summary
- •VB and C# Programming Basics
- •Programming Basics
- •Control Events and Subroutines
- •Page Events
- •Variables and Variable Declaration
- •Arrays
- •Functions
- •Operators
- •Breaking Long Lines of Code
- •Conditional Logic
- •Loops
- •Object Oriented Programming Concepts
- •Objects and Classes
- •Properties
- •Methods
- •Classes
- •Constructors
- •Scope
- •Events
- •Understanding Inheritance
- •Objects In .NET
- •Namespaces
- •Using Code-behind Files
- •Summary
- •Constructing ASP.NET Web Pages
- •Web Forms
- •HTML Server Controls
- •Using the HTML Server Controls
- •Web Server Controls
- •Standard Web Server Controls
- •Label
- •Literal
- •TextBox
- •HiddenField
- •Button
- •ImageButton
- •LinkButton
- •HyperLink
- •CheckBox
- •RadioButton
- •Image
- •ImageMap
- •PlaceHolder
- •Panel
- •List Controls
- •DropDownList
- •ListBox
- •RadioButtonList
- •CheckBoxList
- •BulletedList
- •Advanced Controls
- •Calendar
- •AdRotator
- •TreeView
- •SiteMapPath
- •Menu
- •MultiView
- •Wizard
- •FileUpload
- •Web User Controls
- •Creating a Web User Control
- •Using the Web User Control
- •Master Pages
- •Using Cascading Style Sheets (CSS)
- •Types of Styles and Style Sheets
- •Style Properties
- •The CssClass Property
- •Summary
- •Building Web Applications
- •Introducing the Dorknozzle Project
- •Using Visual Web Developer
- •Meeting the Features
- •The Solution Explorer
- •The Web Forms Designer
- •The Code Editor
- •IntelliSense
- •The Toolbox
- •The Properties Window
- •Executing your Project
- •Using Visual Web Developer’s Built-in Web Server
- •Using IIS
- •Using IIS with Visual Web Developer
- •Core Web Application Features
- •Web.config
- •Global.asax
- •Using Application State
- •Working with User Sessions
- •Using the Cache Object
- •Using Cookies
- •Starting the Dorknozzle Project
- •Preparing the Sitemap
- •Using Themes, Skins, and Styles
- •Creating a New Theme Folder
- •Creating a New Style Sheet
- •Styling Web Server Controls
- •Adding a Skin
- •Applying the Theme
- •Building the Master Page
- •Using the Master Page
- •Extending Dorknozzle
- •Debugging and Error Handling
- •Debugging with Visual Web Developer
- •Other Kinds of Errors
- •Custom Errors
- •Handling Exceptions Locally
- •Summary
- •Using the Validation Controls
- •Enforcing Validation on the Server
- •Using Validation Controls
- •RequiredFieldValidator
- •CompareValidator
- •RangeValidator
- •ValidationSummary
- •RegularExpressionValidator
- •Some Useful Regular Expressions
- •CustomValidator
- •Validation Groups
- •Updating Dorknozzle
- •Summary
- •What is a Database?
- •Creating your First Database
- •Creating a New Database Using Visual Web Developer
- •Creating Database Tables
- •Data Types
- •Column Properties
- •Primary Keys
- •Creating the Employees Table
- •Creating the Remaining Tables
- •Executing SQL Scripts
- •Populating the Data Tables
- •Relational Database Design Concepts
- •Foreign Keys
- •Using Database Diagrams
- •Diagrams and Table Relationships
- •One-to-one Relationships
- •One-to-many Relationships
- •Many-to-many Relationships
- •Summary
- •Speaking SQL
- •Reading Data from a Single Table
- •Using the SELECT Statement
- •Selecting Certain Fields
- •Selecting Unique Data with DISTINCT
- •Row Filtering with WHERE
- •Selecting Ranges of Values with BETWEEN
- •Matching Patterns with LIKE
- •Using the IN Operator
- •Sorting Results Using ORDER BY
- •Limiting the Number of Results with TOP
- •Reading Data from Multiple Tables
- •Subqueries
- •Table Joins
- •Expressions and Operators
- •Transact-SQL Functions
- •Arithmetic Functions
- •String Functions
- •Date and Time Functions
- •Working with Groups of Values
- •The COUNT Function
- •Grouping Records Using GROUP BY
- •Filtering Groups Using HAVING
- •The SUM, AVG, MIN, and MAX Functions
- •Updating Existing Data
- •The INSERT Statement
- •The UPDATE Statement
- •The DELETE Statement
- •Stored Procedures
- •Summary
- •Introducing ADO.NET
- •Importing the SqlClient Namespace
- •Defining the Database Connection
- •Preparing the Command
- •Executing the Command
- •Setting up Database Authentication
- •Reading the Data
- •Using Parameters with Queries
- •Bulletproofing Data Access Code
- •Using the Repeater Control
- •More Data Binding
- •Inserting Records
- •Updating Records
- •Deleting Records
- •Using Stored Procedures
- •Summary
- •DataList Basics
- •Handling DataList Events
- •Editing DataList Items and Using Templates
- •DataList and Visual Web Developer
- •Styling the DataList
- •Summary
- •Using the GridView Control
- •Customizing the GridView Columns
- •Styling the GridView with Templates, Skins, and CSS
- •Selecting Grid Records
- •Using the DetailsView Control
- •Styling the DetailsView
- •GridView and DetailsView Events
- •Entering Edit Mode
- •Using Templates
- •Updating DetailsView Records
- •Summary
- •Advanced Data Access
- •Using Data Source Controls
- •Binding the GridView to a SqlDataSource
- •Binding the DetailsView to a SqlDataSource
- •Displaying Lists in DetailsView
- •More on SqlDataSource
- •Working with Data Sets and Data Tables
- •What is a Data Set Made From?
- •Binding DataSets to Controls
- •Implementing Paging
- •Storing Data Sets in View State
- •Implementing Sorting
- •Filtering Data
- •Updating a Database from a Modified DataSet
- •Summary
- •Security and User Authentication
- •Basic Security Guidelines
- •Securing ASP.NET 2.0 Applications
- •Working with Forms Authentication
- •Authenticating Users
- •Working with Hard-coded User Accounts
- •Configuring Forms Authentication
- •Configuring Forms Authorization
- •Storing Users in Web.config
- •Hashing Passwords
- •Logging Users Out
- •ASP.NET 2.0 Memberships and Roles
- •Creating the Membership Data Structures
- •Using your Database to Store Membership Data
- •Using the ASP.NET Web Site Configuration Tool
- •Creating Users and Roles
- •Changing Password Strength Requirements
- •Securing your Web Application
- •Using the ASP.NET Login Controls
- •Authenticating Users
- •Customizing User Display
- •Summary
- •Working with Files and Email
- •Writing and Reading Text Files
- •Setting Up Security
- •Writing Content to a Text File
- •Reading Content from a Text File
- •Accessing Directories and Directory Information
- •Working with Directory and File Paths
- •Uploading Files
- •Sending Email with ASP.NET
- •Configuring the SMTP Server
- •Sending a Test Email
- •Creating the Company Newsletter Page
- •Summary
- •The WebControl Class
- •Properties
- •Methods
- •Standard Web Controls
- •AdRotator
- •Properties
- •Events
- •BulletedList
- •Properties
- •Events
- •Button
- •Properties
- •Events
- •Calendar
- •Properties
- •Events
- •CheckBox
- •Properties
- •Events
- •CheckBoxList
- •Properties
- •Events
- •DropDownList
- •Properties
- •Events
- •FileUpload
- •Properties
- •Methods
- •HiddenField
- •Properties
- •HyperLink
- •Properties
- •Image
- •Properties
- •ImageButton
- •Properties
- •Events
- •ImageMap
- •Properties
- •Events
- •Label
- •Properties
- •LinkButton
- •Properties
- •Events
- •ListBox
- •Properties
- •Events
- •Literal
- •Properties
- •MultiView
- •Properties
- •Methods
- •Events
- •Panel
- •Properties
- •PlaceHolder
- •Properties
- •RadioButton
- •Properties
- •Events
- •RadioButtonList
- •Properties
- •Events
- •TextBox
- •Properties
- •Events
- •Properties
- •Validation Controls
- •CompareValidator
- •Properties
- •Methods
- •CustomValidator
- •Methods
- •Events
- •RangeValidator
- •Properties
- •Methods
- •RegularExpressionValidator
- •Properties
- •Methods
- •RequiredFieldValidator
- •Properties
- •Methods
- •ValidationSummary
- •Properties
- •Navigation Web Controls
- •SiteMapPath
- •Properties
- •Methods
- •Events
- •Menu
- •Properties
- •Methods
- •Events
- •TreeView
- •Properties
- •Methods
- •Events
- •HTML Server Controls
- •HtmlAnchor Control
- •Properties
- •Events
- •HtmlButton Control
- •Properties
- •Events
- •HtmlForm Control
- •Properties
- •HtmlGeneric Control
- •Properties
- •HtmlImage Control
- •Properties
- •HtmlInputButton Control
- •Properties
- •Events
- •HtmlInputCheckBox Control
- •Properties
- •Events
- •HtmlInputFile Control
- •Properties
- •HtmlInputHidden Control
- •Properties
- •HtmlInputImage Control
- •Properties
- •Events
- •HtmlInputRadioButton Control
- •Properties
- •Events
- •HtmlInputText Control
- •Properties
- •Events
- •HtmlSelect Control
- •Properties
- •Events
- •HtmlTable Control
- •Properties
- •HtmlTableCell Control
- •Properties
- •HtmlTableRow Control
- •Properties
- •HtmlTextArea Control
- •Properties
- •Events
- •Index
Chapter 13: Security and User Authentication
open. If they close their browsers, reopen them, and navigate to your site, they’ll have to log in again.2
Once you enter the correct name and password, you’ll be forwarded to the page you initially requested—by default, this is the homepage.
Configuring Forms Authentication
In the previous section, we created a basic login page. We also modified the Web.config file to enable the forms authentication mode. In this section, we’ll explore the forms authentication section of the Web.config file in greater detail.
Aside from the basic authentication mode, the <authentication> tag within the Web.config file may contain a <forms> tag. The <forms> tag accepts the following attributes:
loginUrl
This attribute specifies the page that the user is redirected to when authentication is necessary. By default, this page is called login.aspx. Using this attribute, you can modify the filename to anything you like.
name
This attribute specifies the name of the cookie to be stored on the user’s machine. By default, the name is set to .ASPXAUTH.
timeout
This attribute specifies the amount of time in minutes before the cookie expires. By default, this value is set to 30 minutes.
path
This attribute specifies the path to the location at which the cookie is stored. By default, this value is set to /.
protection
This attribute controls the way(s) the cookie data is protected. Values include
All, None, Encryption, and Validation. The default value is All.
cookieless
A new ASP.NET 2.0 feature, this attribute forces your application to use the
URL instead of a cookie to identify the logged-in user. The possible values
2 You could add a Remember Me checkbox, and decide the value of the second parameter based on the user’s preference.
538
Working with Forms Authentication
are UseCookies (use the cookie to identify the user), UseUri (use the URL to store identification data), AutoDetect (try to detect if the user client supports cookies), or UseDeviceProfile (use cookies if the user client is known to support them). The default is UseDeviceProfile.
Applying the cookieless authentication mode is similar to using cookieless sessions, and can be used to support visitors who have cookies disabled. When the URL is used to identify the visitor, the links in your web site will automatically be modified to include the identification information, and will look like this:
http://localhost/Dorknozzle/(F(oyVZpBZ3w7Iz_LEFRukBigAf nxM5QzvMY374YdcVjfcfgKJt8SJ3x9pVlrvUSUKbAiMuTP4rylvvNi7 HQH3ta9kMmQWQmZM5aT13GkenHPk1))/Default.aspx
slidingExpiration
This attribute specifies whether the cookie’s expiration date (which is specified using the timeout attribute) should be reset on subsequent requests of a user’s session. The default value in ASP.NET 1.x was True, and the default value in ASP.NET 2.0 is False.
An example Web.config file to which the <forms> tag has been applied might look like this:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".LoginCookie" loginUrl="Login.aspx" protection="All" timeout="40" path="/" cookieless="UseUri" />
</authentication>
<authorization>
</authorization>
</system.web>
</configuration>
Configuring Forms Authorization
As is the case with the authentication section of the Web.config file, the <authorization> tag can be modified to provide or deny certain users access to your application, allowing you to make extremely specific decisions regarding who will, and will not, be accepted into the app. For instance, the following code allows all non-anonymous (authenticated) users except for zruvalcaba:
539
Chapter 13: Security and User Authentication
<configuration>
<system.web>
<authentication …>
</authentication>
<authorization> <deny users="?" />
<deny users="zruvalcaba" />
</authorization>
</system.web>
</configuration>
Here, we again use the question mark (?) to force users to log in, thus denying anonymous users access to our application. We’ve also added another <deny> tag, for the user zruvalcaba. In a nutshell, the two deny elements will allow everyone except zruvalcaba to log in.
In addition to <deny> tags, the <authorization> tag may contain <allow> tags—we’ll see an example of this in a moment. For each user who attempts to access the application, ASP.NET will read through the tags in <authorization> and find the first tag that matches that user. If it turns out to be a <deny> tag, that user is denied access to the application; if it’s an <allow> tag, or if no matching tag is found, the user is granted access.
The users attribute of <allow> and <deny> will accept three types of values:
?
Use this value to allow or deny all anonymous users. This is the most common value used with forms authentication.
*
Use this value to allow or deny all users, including users who are logged in.
user, …
As with zruvalcaba above, we can allow or deny access to a specific user via this attribute. We can list several users by separating their names with commas.
We could modify the code a bit further in an effort to allow only specific users:
<configuration>
<system.web>
<authentication …>
</authentication>
540
Working with Forms Authentication
<authorization>
<allow users="jruvalcaba,zruvalcaba" /> <deny users="*" />
</authorization>
</system.web>
</configuration>
In this case, the users with the login names of jruvalcaba and zruvalcaba are allowed access to the application, but all other users (whether they’re logged in or not) will be denied access.
Now that you have a basic understanding of the ways in which user access is configured within the Web.config file, let’s see how we can use Web.config to store a list of users for our application.
Storing Users in Web.config
The great thing about the Web.config file is that it is secure enough for us to store user names and passwords in it with confidence. The <credentials> tag, shown here within the forms element of the Web.config file, defines login credentials for two users:
File: Web.config
<authentication mode="Forms">
<forms>
<credentials passwordFormat="Clear" > <user name="zak" password="zak" />
<user name="jessica" password="jessica" /> </credentials>
</forms>
</authentication>
<authorization> <deny users="?" />
</authorization>
As we want to prevent users from browsing the site if they’re not logged in, we use the appropriate <deny> tag in our <authorization> tag. The names and passwords of the users we will permit can then simply be specified in the <credentials> tag. Change your Web.config file to match the one shown above, and we’ll try another example.
Let’s modify the code that lies within the <head> tag of the Login.aspx page to validate the user names and passwords based on the Web.config file. Here’s what this change looks like:
541