Home > ASP.NET Applications > ASP.NET Web Application Security > Designing Secure ASP.NET Applications > Simple Forms Authentication
ASP.NET Web Application Security Designing Secure ASP.NET Applications
This example presents the simplest possible implementation of ASP.NET Forms-based Authentication. It is intended to illustrate the fundamentals of how to create an ASP.NET application that uses forms authentication.
In this scenario, the client requests a protected resource, Default.aspx. There is only one user who can gain access to the protected resource: jdoe@somewhere.com, with a password of password. The username and password are hard-coded into the Login.aspx file.
For an example of forms authentication that uses an XML file to hold usernames and passwords, see Forms Authentication Using An XML Users File.
Show me
There are three files involved: Default.aspx, Login.aspx, and Web.config. The files reside in the application root directory. The code in these files is analyzed in the following discussion.
You should set up the Web.config configuration file to have the following entries and place it in the application root directory ( the directory in which Default.aspx resides ).
<configuration>
<system.web>
...
</system.web>
</configuration>
- Set the authentication mode to Forms. Other possible values are Windows, Passport, and None ( empty string ). For this example, it must be Forms.
<authentication mode = "Forms" >
- Set the forms authentication attributes.
- Set the loginUrl attribute to "Login.aspx". Login.aspx is the URL to use for redirection if ASP.NET does not find a form with the request.
- Set the form’s name suffix.
<authentication mode = "Forms" >
<forms
loginUrl = "Login.aspx"
name = ".ASPXFORMSAUTH" />
</authentication>
- Deny unauthenticated users access to this directory.
<authorization>
<deny users = "?" />
</authorization>
Login.aspx is the file to which the request gets redirected if ASP.NET does not find the form with the request. This URL was set up in the configuration file. A form is presented to the client user. It has two text boxes ( User E-mail and Password ) and a Submit button. The user enters the e-mail name and password, and clicks the Submit button. The code then compares this name and password to the pair that is hard-coded into the if statement. If the compare succeeds, the user is connected to Default.aspx. If it fails, an error message is presented to the user.
- Import the necessary namespace.
<%@ Import Namespace = "System.Web.Security " %>
- Set up the script.
- Create a Login_Click event handler to handle the submit event.
- Authenticate the user by comparing the input name and password to those hard-coded into the code: jdoe@somewhere.com and password. If the compare succeeds, then redirect the request to the protected resource ( Default.aspx ). If the compare fails, then display an error message.
<script language = "C#" runat=server>
void Login_Click ( Object sender, EventArgs E ) {
if ( ( UserEmail.Value == "jdoe@somewhere.com" ) &&
( UserPass.Value == "password" ) )
FormsAuthentication.RedirectFromLoginPage
( UserEmail.Value, PersistForms.Checked );
else
Msg.Text = "Invalid Credentials: Please try again";
}
</script>
<script language = "VB" runat=server>
Sub Login_Click ( sender As Object, E As EventArgs )
If ( ( UserEmail.Value = "jdoe@somewhere.com" ) And _
( UserPass.Value = "password" ) ) Then
FormsAuthentication.RedirectFromLoginPage _
( UserEmail.Value, PersistForms.Checked )
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
End Sub
</script> |
| |
C# |
VB |
- Setup a form to collect the logon information.
- Create a UserEmail text box.
- Create a Password text box.
- Create a Persistent Forms check box. If the Persistent Forms box is checked, the form will be valid across browser sessions. Otherwise, the form is destroyed when the browser is closed.
- Create a Submit button that causes the Login_Click event to be fired when posted back.
<body>
<form runat=server>
<h3>Login Page</h3>
<table>
<tr>
<td>Email:</td>
<td><input id = "UserEmail" type = "text" runat=server/></td>
<td><ASP:RequiredFieldValidator
ControlToValidate = "UserEmail"
Display = "Static"
ErrorMessage = "*"
runat=server/>
</td>
</tr>
<tr>
<td>Password:</td>
<td><input id = "UserPass" type=password runat=server/></td>
<td><ASP:RequiredFieldValidator
ControlToValidate = "UserPass"
Display = "Static"
ErrorMessage = "*"
runat=server/>
</td>
</tr>
<tr>
<td>Persistent Forms:</td>
<td><ASP:CheckBox id=PersistForms runat = "server"
autopostback = "true" />
</td>
<td></td>
</tr>
</table>
<input type = "submit" onServerClick = "Login_Click" Value = "Login"
runat = "server" /><p>
<asp:Label id = "Msg" ForeColor = "red" Font-Name = "Verdana"
Font-Size = "10" runat=server />
</form>
</body>
The Default.aspx file is the requested, protected resource. It is a simple file that merely displays the string, Hello, plus the recorded e-mail name, and a Signout button.
<%@ Page language = "C#" %>
<html>
<head>
<title>Forms Authentication</title>
<script runat=server>
private void Page_Load ( Object sender, EventArgs e ) {
Welcome.InnerHtml = "Hello, " + Context.User.Identity.Name;
}
private void Signout_Click ( Object sender, EventArgs E ) {
FormsAuthentication.SignOut ( );
Response.Redirect ( "Login.aspx" );
}
</script>
<body>
<h3>Using Forms Authentication</h3>
<span id = "Welcome" runat=server/>
<form runat=server>
<p><input type = "submit" onServerClick = "Signout_Click" Value = "Signout"
runat = "server" />
</form>
</body>
</html>
<%@ Page language = "VB" %>
<html>
<head>
<title>Forms Authentication</title>
<script runat=server>
Sub Page_Load ( Src As Object, E As EventArgs )
Welcome.InnerHtml = "Hello, " + Context.User.Identity.Name
End Sub
Sub Signout_Click ( sender As Object, E As EventArgs )
FormsAuthentication.SignOut ( )
Response.Redirect ( "Login.aspx" )
End Sub
</script>
<body>
<h3>Using Forms Authentication</h3>
<span id = "Welcome" runat=server/>
<form runat=server>
<p><input type = "submit" onServerClick = "Signout_Click" Value = "Signout"
runat = "server" />
</form>
</body>
</html> |
| |
C# |
VB |
Show me
ASP.NET Authentication