Forms Authentication

Its been 5 days since my last post. Wondering what this silence should imply- I have forgotten how to write Or there is little to write. Well, the former is somewhat far-fetched. As for the latter, its true to some extent. Although there is lots to write about, currently I would not like to go into those topics.

Well, in my last blog I wrote that I will be starting to working with Forms Authentication. Well, rides to gaining knowledge is often bumpy. I started well, going into the details of the Forms Authentication in MSDN. Somewhere, I took a turn that delayed me from reaching the goal sooner. I came throught the topic of SSL (Secure Socket Layer) which was mentioned to be needed for the login form to be more secure. Although for my web pages SSL is hardly necessary, I researched long enough that I could not finish the job during the day. Its only when one of the experienced members of my team explained that SSL is not necessary for general websites, that I stopped searching for the certificate.

Now coming to the topic of Forms Authentication, I am writing here snippets of the codes that are necessary for correct functioning of the pages.

1.Web.config file

-Mode is by default "windows", we change to "forms"

-Inside forms tag, name implies the cookie name where the information is stored. we can give our own name for convenience, other it will take the default ".ASPXAUTH" name.
-loginUrl is the page where we need to login. Even if the user types another page of the website, he will be auto redirected to the loginUrl page.

-protection have different types of level, one can choose according to his needs

-credentials is optional, we may use database connections also; especially when number of users is more.

-passwordFromats we have to choose between three, clear is the normal choice, although less secure

This tag tells who is authorised to view the pages.

-allow users, we can specify the user names, default being "*", which means all

-deny users, generally is for un-authenticated users -"?". We can however specify certain user to be denied also.

In case the number of users is high, we need to use database. The connection is made as above.

key is the name used to connect to the string.

Some pages needs to be kept for free view for all. These we can specifically mention through the location tag.

-path denote the page name

-allowOverride, if true will allow the settings to be overrided by other pages.

2. Login.aspx
If FormsAuthentication.Authenticate(Login1.UserName, Login1.Password) Then
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
Response.Redirect("Default.aspx")
End If

I used the Login tool, although the normal text box is good enough for the case.

The code is self suggesting, on logging in, the user will be going to "Default.aspx" page.

Dim cooky As HttpCookie = New HttpCookie("UserName", Login1.UserName)
cooky.Expires = DateTime.Now.AddHours(1)
Response.Cookies.Add(cooky)

-we can add cookies to page so as to carry the user name to the other pages

Thats all for today

Cookies

Yesterday I was going through the concept of cookies, for the first time in terms of applying it in one of my website. I had to store some data, to be more specific-name of the logged person, so that the next page can say Hi to him in a more familiar way. It works fine while going by the intended route i.e. the login page to the next page. It worked fine when I refresh the page. I used the following code to write the cookie

Dim cookiename as new HttpCookie("name")
cookiename.Value=dr("FirstName")+" "+dr("LastName")
cookiename.Expires=DateTime.Now.AddDays(7)
cookiename.Domain="Default3.aspx"
Response.Cookie.Add(cookiename)

Here "name" is the name of the cookie and dr is defined as:
"Dim dr As SqlDataReader"
which I used to access the data from server.
Expire time I kept at 7 days from the last time of logging.
And Domain is the page for which the cookie "name" is intended for.

On the "Default3.aspx" page, I wrote the following code on Page Load to invoke the cookie
Response.Write("Hi Mr. " + Request.Cookies("Name").Value + "")

I started getting problem when redirecting to "Default3.aspx" page from a page other then the login page. I was confused why the cookie can't store the values for 7 days or until I log on as a different user. Whatever the solution may be, at this point of time my Technical Lead suggested me to work on Forms authentication, something which will be more secure compared to cookies (cookies can't be used to store secure information).
Now I jumped to the learning part of forms authentication. Hope, my next blog is going to be on the same topic. Till then....:-)

Some Thoughts

So at last I joined the geek world of blogs. Blogs had never attracted me. Why? Well it seemed to go against the spirit of privacy to your own life. If I am writing something, it can swing between the most public topics to the most private news. One may argue that its up to you as to what you want to write, but the truth is that even the most sane people gets carried away at times, with the flow current. Words are like arrow. Once you release them, there is no way that you can stop it. Thats why I believe in control of words that we speak. But blogs seems to encourage one to share his personal thoughts as well as incidents. There had been times it had helped a cause. But there had been no less times that it hurt numerous people. Sitting in an A/C room, in a virtual world of its own, its difficult to phantom the difference that a few words can make to others. Just ask yourself in one of those off day, when you feel alone, lonely; which matters more: a friendly, reassuring hug-let he be anybody, even a stranger or a big Hi in chat room from one of your numerous chat friends?
In retrospect, I feel my first blog is more against the "blog society". Well, I have to agree that knowledge transfer had been much better with the blogs coming into life. I agree, I also gained enormously from numerous forums. So, where I am against. Perhaps I should make myself clear there. I have reservations against the online diary, and here I feel strongly.
I never thought that I will also be part and parcel of the blog world, until my Technical Leader, Mr Abraham asked to create one blog. I wonder what will be my thought in a few years from now. Lets wait and see. :-)