Since we perform managed shared hosting, managed dedicated hosting, and managed cloud hosting at OrcsWeb, we sometimes get involved assisting clients with certain situations related to their site’s code, and we try to assist (within reason) even if the situation has nothing to do with the servers or hosting services. A fairly regular need that users have is to protect certain areas of their website. If they are using ASP.NET there are several options – one of which I document below.
ASP. NET has a built-in feature called Forms Authentication that allows developers to easily secure specific areas of a web site. Below I’m going to build a simple authentication sample using C# and ASP. NET 4.0 (still in beta as of the posting date).
Security settings with ASP.Net NET configured from within an file named web.config. This is a standard ASCII, XML formatted, file placed in the root of your web application. Here is a sample web.config:
The very first line is standard for a web.config file with no bearing on the security.
The next section specifies that you are working with the security settings for this web application. I set the authentication mode to use a cookie in this specific example. You can specify a unique name for your cookie if desired. This section also specifies the page or URL that will contain the code that will perform the authentication (login.aspx in this case) – and how long the authentication cookie should be persisted.
The next two lines specify usernames and passwords you want to allow for this part of the web application. I’m not aware of a limit to the number of user accounts you can place in the web.config, but if there are a large number – or if they change frequently – it might be better to place this information in a database or XML file instead.
Now that we have defined valid logon accounts, we need to actually specify what we want to password protect. I set the authorization to deny all non-authenticated users with the <deny users=”?”/> section.
That’s all that is needed for in config.web file. If someone tries to access the site and has not already authenticated, they will be redirected to the login.aspx page.
This is only half the required process: We now need to create the login.aspx page to actually perform the authentication.
Here is the complete source of the sample login.aspx page:
<%@ Page Language=”C#” AutoEventWireup=”true” CodeFile=”login.aspx.cs” %>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<form id=”form1″ runat=”server”>
<asp:TextBox ID=”txtUsername” runat=”server”></asp:TextBox>
<asp:TextBox ID=”txtPassword” runat=”server”></asp:TextBox>
<asp:Button ID=”Button1″ runat=”server” onclick=”Button1_Click” Text=”Login” />
<asp:Label ID=”lblStatus” runat=”server” Text=”Please login”></asp:Label>
And here is the complete source of the login.aspx.cs file:
public partial class Default3 : System.Web.UI.Page
protected void Button1_Click(object sender, EventArgs e)
if (FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text))
lblStatus.Text = (“Welcome “ + txtUsername.Text);
lblStatus.Text = “Invalid login!”;
Looking at the login.aspx page first – this is fairly straight-forward HTML format. These aren’t actually straight HTML tags, but rather ASP. NET HTML controls that will render HTML page to the client browser (you can tell the difference because the runat=”server” tag). This form accepts a username and password. When the submit button is clicked, this page executes code within the login.aspx.cs page located in the subroutine named “Button1_Click”.
Inside the Button1_Click method we use the FormsAuthentication object. The first line of the sub passes the entered username and password over to the object, which compares this information to the values already defined above in the web.config file. If the values match, the next line changes the label (just so we can see that it worked) and writes a cookie to the browser then redirects the user back to the original URL requested. The second value listed (“true”) tells the browser to persist the cookie. So if this user authenticates, closes their browser, opens it again, and tries the secure URL – they will still be authenticated.
If the username and password entered don’t match, an error message is displayed to the screen and the user is prompted to enter a new username and password to try again.
This is a simple example and I don’t cover any of the advanced configurations or options, but with this sample code, you should have a basis to work with if you want to implement security in ASP.Net.