Monday, 6 August 2007

Forms Authentication

Its been 5 days since my last post. Wondering what this silence should imply- I have forgotten how to write Or there is little to write. Well, the former is somewhat far-fetched. As for the latter, its true to some extent. Although there is lots to write about, currently I would not like to go into those topics.

Well, in my last blog I wrote that I will be starting to working with Forms Authentication. Well, rides to gaining knowledge is often bumpy. I started well, going into the details of the Forms Authentication in MSDN. Somewhere, I took a turn that delayed me from reaching the goal sooner. I came throught the topic of SSL (Secure Socket Layer) which was mentioned to be needed for the login form to be more secure. Although for my web pages SSL is hardly necessary, I researched long enough that I could not finish the job during the day. Its only when one of the experienced members of my team explained that SSL is not necessary for general websites, that I stopped searching for the certificate.

Now coming to the topic of Forms Authentication, I am writing here snippets of the codes that are necessary for correct functioning of the pages.

1.Web.config file




-Mode is by default "windows", we change to "forms"
-Inside forms tag, name implies the cookie name where the information is stored. we can give our own name for convenience, other it will take the default ".ASPXAUTH" name.
-loginUrl is the page where we need to login. Even if the user types another page of the website, he will be auto redirected to the loginUrl page.
-protection have different types of level, one can choose according to his needs
-credentials is optional, we may use database connections also; especially when number of users is more.
-passwordFromats we have to choose between three, clear is the normal choice, although less secure




This tag tells who is authorised to view the pages.
-allow users, we can specify the user names, default being "*", which means all
-deny users, generally is for un-authenticated users -"?". We can however specify certain user to be denied also.



In case the number of users is high, we need to use database. The connection is made as above.
key is the name used to connect to the string.
Some pages needs to be kept for free view for all. These we can specifically mention through the location tag.
-path denote the page name
-allowOverride, if true will allow the settings to be overrided by other pages.

2. Login.aspx
If FormsAuthentication.Authenticate(Login1.UserName, Login1.Password) Then
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
Response.Redirect("Default.aspx")
End If

I used the Login tool, although the normal text box is good enough for the case.
The code is self suggesting, on logging in, the user will be going to "Default.aspx" page.

Dim cooky As HttpCookie = New HttpCookie("UserName", Login1.UserName)
cooky.Expires = DateTime.Now.AddHours(1)
Response.Cookies.Add(cooky)

-we can add cookies to page so as to carry the user name to the other pages

Thats all for today

No comments: