Implementing Forms Authentication

Posted on 2008-10-14 12:37 sunrack 阅读(260) 评论(0) 收藏举报

1. Configure forms authentication in the web.config file.
2. Configure IIS to allow anonymous access to the virtual directory, and configure ASP.NET to
restrict anonymous access to the web application.
3. Create a custom login page that collects and validates a user name and password and then
interacts with the forms authentication infrastructure for creating the ticket.

一、Configuring Forms Authentication

default

The <authentication /> configuration is limited to the top-level web.config file of your application.
If the mode attribute is set to Forms, ASP.NET loads and activates the FormsAuthenticationModule,
which does most of the work for you.

override

二、Denying Access to Anonymous Users

Tip

Unlike the <authentication> element, the <authorization> element is not limited to the web.config file in the
root of the web application. Instead, you can use it in any subdirectory, thereby allowing you to set different authorization
settings for different groups of pages.

三、Creating a Custom Login Page

protected void LoginAction_Click(object sender, EventArgs e)
{
Page.Validate();
if (!Page.IsValid) return;
if (FormsAuthentication.Authenticate(UsernameText.Text, PasswordText.Text))
{
// Create the ticket, add the cookie to the response,
// and redirect to the originally requested page
FormsAuthentication.RedirectFromLoginPage(UsernameText.Text, false);
}
else
{
// User name and password are not correct
LegendStatus.Text = "Invalid username or password!";
}
}

The FormsAuthentication class provides two methods that are used in this example. The
Authenticate() method checks the specified user name and password against those stored in the
web.config file and returns a Boolean value indicating whether a match was found. Remember
that the methods of FormsAuthentication are static, so you do not need to create an instance of
FormsAuthentication to use them—you simply access them through the name of the class.
if (FormsAuthentication.Authenticate(UsernameText.Text, PasswordText.Text))
If a match is found for the supplied credentials, you can use the RedirectFromLoginPage()
method, as shown here:
FormsAuthentication.RedirectFromLoginPage(UsernameText.Text, false);
This method performs several tasks at once:
1. It creates an authentication ticket for the user.
2. It encrypts the information from the authentication ticket.
3. It creates a cookie to persist the encrypted ticket information.
4. It adds the cookie to the HTTP response, sending it to the client.
5. It redirects the user to the originally requested page (which is contained in the query string
parameter of the login page request’s URL).
The second parameter of RedirectFromLoginPage() indicates whether a persistent cookie
should be created. Persistent cookies are stored on the user’s hard drive and can be reused for later
visits. Persistent cookies are described in the section “Persistent Cookies in Forms Authentication”
later in this chapter.
Finally, if Authenticate() returns false, an error message is displayed on the page. Feedback
such as this is always useful. However, make sure it doesn’t compromise your security. For example,
it’s all too common for developers to create login pages that provide separate error messages
depending on whether the user has entered a user name that isn’t recognized or a correct user name
with the wrong password. This is usually not a good idea. If a malicious user is trying to guess a user
name and password, the user’s chances increase considerably if your application gives this sort of
specific feedback.

刷新页面返回顶部