Page 1 of 1

Authenticaton Security In this turorial will see authentication at forms level

#1 theunborncoder   User is offline

  • D.I.C Head
  • member icon

Reputation: 13
  • View blog
  • Posts: 123
  • Joined: 15-October 09

Posted 18 December 2009 - 03:32 AM

There are mainly 3 types of authentication
1. Windows
2. Forms
3. Passport

ASP.NET use impersonation method to authenticate unknown user on site.
Impersonation is the process of assigning account to unknown user called anonymous access account is named as IUSER_machine name

Worker process ASPNET.WP.exe uses ASPNET account insted

You can check you current used account using following code
lblAcc.text = system.Security.Principle.windowsIdentity.GetCurrent().Name


we can change impersonation in web.config file

<Identity impersonation="true">



if we apply windows authentication then our application is only use inside intranet under one domain we can use from outside but in that case we must know user name and password under that domain

<authentication mode="windows">
<allow user="machine name/user name"/>
<deny user ="*"/>
</authentication>


above code indicate deny all except machine name/user name
we can add many users comma seperated

Using forms authentication we can give access to any user even if he is not member of domain.
using authentication we can also maintain user information. like currently present users and so on...

For this type of authentication we have to use our own database and store user names and password using we can authenticate users....

Now start with some basic steps :

set authentication mode to forms in web.config :
we have to use following tag
<authentication mode="Forms" >


above code ensure that When someone accesses your Web application ASP.NET displays the logon Web form. Once a user is login is ok then ASP.NET a cookie on client machine hence later using this cookie user gets authenticate

now we have to set some more properties :

<authentication mode="Forms" >
  <forms loginUrl="Login.aspx" >
	<credentials passwordFormat="Clear">
	  <user name="aaa" password="111"/>
	  <user name="bbb" password="222"/>
	</credentials>
  </forms>
</authentication>

<authorization>
  <deny users="?" />
</authorization>


ok now in above code we have
credential passwordFormat="clear" this code denote that our password is in simple text format no encryption is applied we can use encryption algorithms like MD5 or SHA1(insted of clear use MD5 or SHA1)

now we have name and password its simple hardcore username and password for authentication. we can set as many names as we want.

now we have autherization deny users="?" this code denote that only authenticated users only. if we want that all users get access then use "*"

we can use role based authetication also insted of using user use "roles"
we can check role like
if(user.IsInRole("role 1"))
'do something
else
'do something

we can also apply security on folder also :
Create folder 
place files inside
create new web.config in it
apply new setting

ok great :^: 

now will see code inside login page

imports system.web.security

on button login click event

[code]
if(formsAuthentication.Authenticate(userID,password))
formsAuthentication.RedirectFormLoginPage(userID,false)



now will see code inside signout page

imports system.web.security

on button logout click event

formsAuthentication.signout()
formsAuthentication.RedirectToLoginPage()



Last topic apply encryption on password

Passwod = forms.Authentication.HashPasswordToStoringInConfigFile(password,"MD5/SHA1")

even we can store encrypted password inside config file also

Enjoy coding

Is This A Good Question/Topic? 0
  • +

Page 1 of 1