ASP.NET Web Applications ASP.NET Web Application Security ASP.NET Membership
ASP.NET Membership is configured using the membership element in the web.config
file for your application. The membership element is a sub-element of the system.web section. You can enable ASP.NET Membership for an application by directly editing the web.config
file for that application, or you can use the Web Site Administration Tool, which provides a wizard-based interface. As part of membership configuration, you specify:
- Which membership provider ( or providers ) to use. ( This typically also specifies what database to store membership information in. )
- Password options such as encryption and whether to support password recovery based on a user-specific question.
- Users and passwords. If you are using the Web Site Administration Tool, you can create and manage users directly. Otherwise, you must call membership functions to create and manage users programmatically.
For an example of configuring ASP.NET Membership using the Web Site Administration Tool, see Creating a Web Site with Membership and User Login.
You specify the default membership provider using the defaultProvider attribute of the membership element. The machine configuration specifies a SqlMembershipProvider
instance named "AspNetSqlMembershipProvider" that is identified as the default
provider if you do not specify a default provider explicitly. The "AspNetSqlMembershipProvider" connects to the aspnetdb
database in the local SQL Server.
NOTE: You need to set up the database used by the SqlMembershipProvider before using it in an application. For details, see Creating and Configuring the Application Services Database for SQL Server.
You can also specify the default provider instance and options for that provider by configuring a provider in the membership section. You use the providers element to identify a provider to add to the collection of providers available for the application. You can identify your provider instance as the default provider by using the value of the name attribute as the defaultProvider value. When you specify a provider instance, you must also specify a valid connection string for that instance by using the connectionStrings section of the configuration. For example, the following web.config
file identifies a SqlMembershipProvider instance that connects to a SQL Server other than the local server.
<configuration>
<connectionStrings>
<add name="MySqlConnection"
connectionString="Data Source=MySqlServer;Initial Catalog=aspnetdb;Integrated Security=SSPI;" />
</connectionStrings>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<membership defaultProvider="SqlProvider"
userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
</system.web>
</configuration>
Membership Classes Membership Providers