Chapter 13: Security and User Authentication

Visual Basic File: Login.aspx.vb (excerpt)

Sub LoginUser(s As Object, e As EventArgs)

void LoginUser(Object s, EventArgs e)

{

if (FormsAuthentication.Authenticate(username.Text, password.Text))

{

FormsAuthentication.RedirectFromLoginPage(username.Text,

true);

}

}

In this case, we use the Authenticate method of the FormsAuthentication class, which checks a user name and password against the users defined in the <credentials> tag within the Web.config file. Save your work and test the results in the browser. Again, when you enter credentials that match those in the Web.config file, you’ll be redirected to the page you requested.

In order to make this solution easier to maintain, you could write code that checked the username and password against a database. However, as it turns out, ASP.NET 2.0 has built-in features that do all this work for you. We’ll look at them a little later in this chapter.

Hashing Passwords

You can provide an increased level of protection for your users’ passwords by storing them in a hashed format.

A hashing algorithm is an algorithm that performs an irreversible but reproducible transformation on some input data. If we hash a user’s password before storing it, then, when that user tries to log in, we simply apply the same hashing algorithm to the password the user has entered, and compare the results with the stored value.

You can store hashed versions of passwords in your database—you can even store hashed passwords in Web.config. If you choose the latter option, you’ll obviously

542

Working with Forms Authentication

need a means of hashing your passwords when you add new users to the file. For a quick test, you can use an online hashing tool.3 Simply supply the tool with a “cleartext” string (the desired password) and a hashing algorithm, and it will give you the hashed version of the string.

The built-in hashing algorithms that ASP.NET supports are MD5 and SHA1. If you were to hash the string “cristian” using MD5, the hashed version would be

B08C8C585B6D67164C163767076445D6. Here’s what your Web.config file would look like if you wanted to assign the password “cristian” to the user “cristian”:

<authentication mode="Forms"> <forms>

<credentials passwordFormat="MD5"> <user name="cristian"

password="B08C8C585B6D67164C163767076445D6" /> </credentials>

</forms>

</authentication>

After you make this change, execute your project again. When the login form appears, enter cristian for the username, and cristian for the password, and you should be redirected to the requested page (which, by default, is the homepage).

Hashing Passwords Programatically

I won’t insist on using Web.config because ASP.NET 2.0 offers the much more powerful option of storing credentials in the database. However, if you want to hash passwords yourself without using an online tool, you can use the HashForStoringInConfigFile method of the

FormsAuthentication class, which takes as parameters the cleartext password, and the hashing algorithm you want to use—MD5 or SHA1.

Logging Users Out

You’ll usually want to provide users with the ability to log out once they’ve finished browsing your site. People gain security from the knowledge that they have successfully logged out, and rightly so, since it’s possible for a hacker to take over (or spoof) an existing login while it remains active. The first step to take in order to create logout functionality for your application is to insert a suitable control that users can click on when they finish browsing.

3 Try the one at http://aspnetresources.com/tools/pwdhash.aspx.

543