Page 1 of 6 User authentication is one of the most common tasks a web programmer needs to perform. Any web site with a login form must implement some form of authentication.
This article describes how to develop a customized user authentication module based on ASP.NET forms authentication. Along the way you'll learn how to use the Macromedia custom DataSet tag in Dreamweaver MX to access and use login credentials stored in a database. In Part 1 you'll build a relatively simple authentication system; then, in Part 2 you'll construct a more comprehensive system that allows you to authenticate the user based on his or her "role."
For additional information on this topic, please see the excellent article written by Peter Ladka: Forms Authentication & Authorization Series.
Consider this typical scenario: you want to limit access to pages within a specific folder to only users who are logged in. Furthermore, if the user is not yet logged in and requests a page within this restricted-access folder, the login page should automatically display; then, upon successful login, the user should be automatically redirected back to the the previously requested page.
For example, say that a user who has not yet logged in (or a logged-out user) attempts to access the MemberOnlyFile.aspx page in the protected members folder:
http://security/members/MemberOnlyFile.aspx
The user is automatically redirected to the login page (which, in this case resides in the root folder):
http://security/login.aspx?ReturnUrl=%2fmembers%2fMemberOnlyFile.aspx
Now, if the user logs in with the appropriate credentials, he or she is automatically redirected back to MemberOnlyFile.aspx, the originally requested page.
For this series, I use Dreamweaver MX 6.1 to create ASP.NET pages written in C#, Microsoft IIS 5.0 to serve them up, and SQL Server 2000 to store the login info.
Part 1: Forms Authentication for a single type of user
Part 2: Forms Authentication for multiple roles
Code Listings Included:
The Microsoft ASP.NET framework provides a rich collection of tools. The trick is figuring out how they work together to customize your authentication system.
ASP.NET allows four different types of authentication: Forms, Windows, Passport, and None. This article concentrates on the Forms type. When you implement forms authentication, you can protect every page within a specified directory. This allows you to grant access to authenticated users only. You specify the type of authentication an application uses in the web.config file (an example of which is contained in the code download for this article).
The web.config file (see Listing 1) contains a nested hierarchy of XML tags with attributes that specify the configuration settings for the web application.
Listing 1. Configuration settings in the web.config file
<configuration>
<!-- enable Forms authentication -->
<system.web>
<authentication mode= "Forms">
<forms name="SECAUTH" loginUrl="/login.aspx" />
</authentication>
</system.web>
<!-- Require authorization for all files -->
<!-- in the "member" subdirectory -->
<location path="members">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Notes:
Keywords
Forms authentication, FormsAuthenticationTicket, ASP.NET, Dreamweaver, DataSet, SQL Server, C#
