Build Your Own ASP.NET 3.5 Website Using C# & VB (96 page)

560

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

Execute your project and you’ll see the simple, yet functional, Login page shown

in
Figure 13.2.

Figure 13.2. The simple Dorknozzle Login page

In the code above, the If statement is used to check whether or not the user typed

in the correct username and password. If the username and password entered were

username
and
password
, respectively, we call the FormsAuthentication class’s

RedirectFromLoginPage method, passing in two parameters.

The first parameter is the username that will be stored in the authentication ticket

(the cookie that’s sent to the user’s browser). We’ll simply use the username entered

into the form for this example. The second parameter is a Boolean value that indicates whether a persistent cookie should be created. By setting this value to True, you allow your users to close their browsers, open them again, navigate back to

your site, and still be logged in to the application. Setting this value to False allows

users to be logged in only as long as their browsers remain open. If they close their

browsers, reopen them, and navigate to your site, they’ll have to log in again.4

Once you enter the correct name and password, you’ll be forwarded to the page you

initially requested—by default, this is the homepage.

4 You could add a
Remember Me
checkbox, and decide the value of the second parameter based on the user’s preference.

Licensed to [email protected]

Security and User Authentication

561

Configuring Forms Authentication

In the previous section, we created a basic Login page. We also modified the

Web.config
file to enable the forms authentication mode. In this section, we’ll explore the forms authentication section of the
Web.config
file in greater detail.

Aside from the basic authentication mode, the tag within the

Web.config
file may contain a tag. The tag accepts the following attributes:

loginUrl

This attribute specifies the page that the user is redirected to when authentication

is necessary. By default, this page is called
login.aspx
. Using this attribute, you

can modify the filename to anything you like.

name

This attribute specifies the name of the cookie to be stored on the user’s machine.

By default, the name is set to .ASPXAUTH.

timeout

This attribute specifies the amount of time in minutes before the cookie expires.

By default, this value is set to 30 minutes.

path

This attribute specifies the path to the location at which the cookie is stored.

By default, this value is set to /.

protection

This attribute controls the way(s) in which the cookie data is protected. Values

include All, None, Encryption, and Validation. The default value is All.

cookieless

A new ASP.NET feature, this attribute forces your application to use the URL

instead of a cookie to identify the logged-in user. The possible values are

UseCookies (use the cookie to identify the user), UseUri (use the URL to store

identification data), AutoDetect (try to detect if the user client supports cookies),

and UseDeviceProfile (use cookies if the user client is known to support them).

The default is UseDeviceProfile.

Licensed to [email protected]

562

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

Applying the cookieless authentication mode is similar to using cookieless

sessions, and can be used to support visitors who have cookies disabled. When

the URL is used to identify the visitor, the links in your web site will automatically be modified to include the identification information, and will look like this:

http://localhost/Dorknozzle/(F(oyVZpBZ3w7Iz_LEFRukBigAf

nxM5QzvMY374YdcVjfcfgKJt8SJ3x9pVlrvUSUKbAiMuTP4rylvvNi7

HQH3ta9kMmQWQmZM5aT13GkenHPk1))/Default.aspx

slidingExpiration

This attribute specifies whether the cookie’s expiration date (which is specified

using the timeout attribute) should be reset on subsequent requests of a user’s

session. The default value in ASP.NET 1.x was True, and the default value in

ASP.NET is False.

An example
Web.config
file to which the tag has been applied might look

like this:

protection="All" timeout="40" path="/"

cookieless="UseUri"/>

⋮

Configuring Forms Authorization

As is the case with the authentication section of the
Web.config
file, the

tag can be modified to provide or deny certain users access to

your application, allowing you to make extremely specific decisions regarding who

is, and is not, accepted into the app. For instance, the following code allows all

authenticated (non-anonymous) users except for andrei:

Licensed to [email protected]

Security and User Authentication

563

Here, we again use the question mark (?) to force users to log in, thus denying anonymous users access to our application. We’ve also added another tag, for the user andrei. In a nutshell, the two deny elements will allow everyone except

andrei to log in.

In addition to tags, the tag may contain tags—we’ll see an example of this in a moment. For each user who attempts to access the application, ASP.NET will read through the tags in and find the first tag that matches that user. If it turns out to be a tag, that user will be denied access to the application; if it’s an tag, or if no matching tag is found, the user will be granted access.

The users attribute of and will accept three types of values:

?

Use this value to allow or deny all anonymous users. This is the most common

value used with forms authentication.

*

Use this value to allow or deny all users, including users who are logged in.

user
, …

As with andrei above, we can allow or deny access to a specific user via this

attribute. We can list several users by separating their names with commas.

We could modify the code a bit further in an effort to allow only specific users:

Licensed to [email protected]

564

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

In this case, the users with the login names of john and jane are allowed access to

the application, but all other users (whether they’re logged in or not) will be denied

access.

Now that you have a basic understanding of the ways in which user access is configured within the
Web.config
file, let’s see how we can use
Web.config
to store a list of users for our application.

Storing Users in Web.config

The great thing about the
Web.config
file is that it is secure enough for us to store

usernames and passwords in it with confidence. The tag, shown

here within the forms element of the
Web.config
file, defines login credentials for

two users:

DorkNozzle\VB\07_web.config

As we want to prevent users from browsing the site if they’re not logged in, we use

the appropriate tag in our tag. The names and passwords

of the users we will permit can then simply be specified in the tag.

Change your
Web.config
file to match the one shown above, and we’ll try another

example.

Licensed to [email protected]

Security and User Authentication

565

Let’s modify the code in the code-behind file for the
Login.aspx
page to validate the

usernames and passwords based on the
Web.config
file. Here’s what this change

looks like:

Visual Basic

DorkNozzle\VB\08_Login.aspx.vb
(excerpt)

Sub LoginUser(s As Object, e As EventArgs)

If
FormsAuthentication.Authenticate(username.Text, _

password.Text)
Then

FormsAuthentication.RedirectFromLoginPage(username.Text, True)

End If

End Sub

C#

DorkNozzle\CS\08_Login.aspx.cs
(excerpt)

void LoginUser(Object s, EventArgs e)

{

if (
FormsAuthentication.Authenticate(username.Text,

password.Text)
)

{

FormsAuthentication.RedirectFromLoginPage(username.Text,

true);

}

}

In this case, we use the Authenticate method of the FormsAuthentication class,

which checks a username and password against the users defined in the

tag within the
Web.config
file. Save your work and test the results in the browser. Again, when you enter credentials that match those in the

Web.config
file, you’ll be redirected to the page you requested.

In order to make this solution easier to maintain, you
could
write code that checked

the username and password against a database. However, as it turns out, ASP.NET

has built-in features that do all this work for you. We’ll look at them a little later in

this chapter.

Hashing Passwords

You can provide an increased level of protection for your users’ passwords by

storing them in a hashed format.

Licensed to [email protected]

566

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

A
hashing
algorithm is an algorithm that performs an irreversible but reproducible

transformation on some input data. If we hash a user’s password before storing it,

then, when that user tries to log in, we can simply apply the same hashing algorithm

to the password the user has entered, and compare the results with the stored value.

You can store hashed versions of passwords in your database—you can even store

hashed passwords in
Web.config
. If you choose the latter option, you’ll obviously

need a means of hashing your passwords when you add new users to the file. For

a quick test, you can use an online hashing tool.5 Simply supply the tool with a

cleartext
string (the desired password in its original unencoded state) and a hashing

algorithm, and it will give you the hashed version of the string.

The built-in hashing algorithms that ASP.NET supports are MD5 and SHA1. If you

were to hash the string “cristian” using MD5, the hashed version would be