ASP.NET Web Applications ASP.NET Web Application Security ASP.NET Membership
Describes the sample membership providers and their supported data source schema.
The following topics include the code for a sample membership provider implementation. The sample provider uses the .NET Framework Data Provider for ODBC to connect to an ODBC data source. The sample uses an Access database as its data source.
This topic describes implementation details about the sample membership provider and describes how to build the sample and configure an ASP.NET application to use the sample provider.
NOTE: Because data sources contain differing SQL syntax, some commands will work with one data source and not with another. Therefore, you should create a membership provider specific to your data source even if you are using the .NET Framework Data Provider for ODBC or the .NET Framework Data Provider for OLEDB to access your data source, for example, SybaseMembershipProvider, OracleMembershipProvider, and so on.
There are two versions of the sample provider included: one in Visual Basic and another in C#.
To create the Access table used by the sample provider, issue the following data-definition query in a new or existing Access database.
CREATE TABLE Users (
PKID Guid NOT NULL PRIMARY KEY,
Username Text ( 255 ) NOT NULL,
ApplicationName Text ( 255 ) NOT NULL,
Email Text ( 128 ) NOT NULL,
Comment Text ( 255 ),
Password Text ( 128 ) NOT NULL,
PasswordQuestion Text ( 255 ),
PasswordAnswer Text ( 255 ),
IsApproved YesNo,
LastActivityDate DateTime,
LastLoginDate DateTime,
LastPasswordChangedDate DateTime,
CreationDate DateTime,
IsOnLine YesNo,
IsLockedOut YesNo,
LastLockedOutDate DateTime,
FailedPasswordAttemptCount Integer,
FailedPasswordAttemptWindowStart DateTime,
FailedPasswordAnswerAttemptCount Integer,
FailedPasswordAnswerAttemptWindowStart DateTime
)
If the sample provider encounters an exception when working with the data source, it writes the details of the exception to the application event log instead of returning the exception to the ASP.NET application. This is done as a security measure to prevent private information about the data source from being exposed in the ASP.NET application.
The sample provider specifies an event Source of "OdbcMembershipProvider." Before your ASP.NET application will be able to write to the Application Event Log successfully, you will need to create the following registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\OdbcMembershipProvider
If you do not want the sample provider to write exceptions to the event log, then you can set the writeExceptionsToEventLog attribute to false in the web.config
file.
In order to use the sample provider, you can place your source code in the App_Code directory of your application. Note that if you already have source code in the App_Code directory of your application, you must add the version of the sample provider that is written in the same language as the existing code in the directory. The provider will be compiled by ASP.NET when your application is requested.
You can also compile the sample provider as a library and place it in the Bin directory of your Web application, or strongly name it and place it in the GAC. The following command shows how to compile the sample provider using the command-line compiler.
csc /out:OdbcMembershipProvider.dll /t:library OdbcMembershipProvider.cs /r:System.Web.dll /r:System.Configuration.dll
vbc /out:OdbcMembershipProvider.dll /t:library OdbcMembershipProvider.vb /r:System.Web.dll /r:System.Configuration.dll |
|
C# |
VB |
The following example shows the web.config
file for an ASP.NET application configured to use the sample provider. The configuration file assumes the existence of two files, CreateUser.aspx and RetrievePassword.aspx. The two files are accessible to all users, even those who are logged in.
The example uses an ODBC DSN named "MembershipUsers" to obtain connection information for the Access database. To use the sample provider, you will need to either create the "MembershipUsers" System DSN or supply a valid ODBC connection string to your database.
<configuration>
<location path = "CreateUser.aspx">
<system.web>
<authorization>
<allow users = "?" />
</authorization>
</system.web>
</location>
<location path = "RetrievePassword.aspx">
<system.web>
<authorization>
<allow users = "?" />
</authorization>
</system.web>
</location>
<connectionStrings>
<add name = "OdbcServices" connectionString = "DSN=MembershipUsers;" />
</connectionStrings>
<system.web>
<authentication mode = "Forms" >
<forms loginUrl = "login.aspx"
name = ".ASPXFORMSAUTH" />
</authentication>
<authorization>
<deny users = "?" />
</authorization>
<membership defaultProvider = "OdbcProvider"
userIsOnlineTimeWindow = "15">
<providers>
<add name = "OdbcProvider"
type = "Samples.AspNet.Membership.OdbcMembershipProvider"
connectionStringName = "OdbcServices"
enablePasswordRetrieval = "true"
enablePasswordReset = "true"
requiresQuestionAndAnswer = "true"
writeExceptionsToEventLog = "true" />
</providers>
</membership>
</system.web>
</configuration>
Implementing a Membership Provider