Tag Archives: forms authentication

Questions and Answers on ASP.NET

Standard

There are many questions that I answer in asp.net forum. Here is/are some of them.

Q :

I have a page which can only be seen by the members…no guest can Access tht page …m using asp.net wid c# can i get an basic idea how do i redirect tht person to login page if they r not logged…and wid a condition tht if they r loggin already thn no need to show the loggin page they can directly access to the private page

A:

Suppose you want restriction to the Page Member.aspx. In that case all you need to do to redirect the guest is : using a simple Authorization Rule in your web.config like this:
In such case, you compel your members to view the private page. There are several other options but it is one of the basica. Best of luck.

Q:

Require https to safeguard Windows Authentication credentials?

A:

Basically the diffrence is in the usage of port. HTTP uses port 80 and when it is secured HTTP (HTTPS), the port is changed to 443. In case of Forms authentication there is an attribute called “requireSSL” which specifies whether Forms authentication should happen in a secure HTTPS. You may keep it true or false. See below:

It is strongly recommended that the loginUrl should be an SSL URL (https://) to keep secure credentials secure from prying eyes.

But all these things are applicable when it is only Forms authentication, The Windows operating system has a role system built into it. This Windows security group system is an ideal system to use when you are working with intranet-based applications where you might have all users already in defined roles. This, of course, works best if you have anonymous authentication turned off for your ASP.NET application, and you have configured your application to use Windows Authentication.

Best of luck.

Advertisements

The basics of Forms Authentication

Standard

Again I come back with an old issue : Forms authentication.
Now in a Matthew MacDonald and Mario Szpuszta book I found a very nice diagram which beautifully explains how forms authentication is activated.
First the diagram:

How Forms authentication works...

Next the good reasons. As they described,
• You have full control over the authentication code.
• You have full control over the appearance of the login form.
• It works with any browser.
• It allows you to decide how to store user information.

Now the steps how you’ll proceed
1. Configure forms authentication in the web.config file.
2. Configure IIS to allow anonymous access to the virtual directory, and configure ASP.NET to
restrict anonymous access to the web application.
3. Create a custom login page that collects and validates a user name and password and then
interacts with the forms authentication infrastructure for creating the ticket.
Here I’d like to add one thing, if are not keen on configuring IIS it’s no problem. ASP.NET, itself will tackle the issue fantastically. So first of all you need to add this code to web.config,

This is the most basic part. After this step, you can create your own provider class in web.config, you can add profile to keep tracks of the users etc. But that is entirely other aspects.

Forms vs Windows authentication

Standard

Actually, last day I spent some time over it and after some experimenting with my website, I’m going to write what I found.
The main thing about Forms authentication is : it is being used for ASP.NET web application. With forms authentication, ASP.NET is expected to handle
all the details of authentication and security.
On the contrary The default authentication mode for ASP.NET applications is Windows, which is fine if you’re working in an intranet environment where every user probably has a Windows login for use in the corporate network anyway. Using Windows authentication, Windows itself handles all the security and authentication, and you can use the myriad of Windows utilities and functions such as Active Directory, to manage your users.
The mechanism is, to use forms authentication and the SqlMembershipProvider, we need to create a database to authenticate against. This database will hold our user information, as well as membership information, so we can both authenticate the user and provide access based on membership in specific roles.
What I’ve done, I created the database using aspnet_regsql.exe and later added it to my website’s App_Data folder. So that later it became easier to add other tables and establish a relationship between them.
In fact going this way, I can reduce the volume of App_Data folder drastically. If one goes using Windows authentication, the App_Data folder takes more than 10 mb space.
Instead if one uses Forms authentication, and in web.config uses membership provider then the whole scene changes quite interstingly.
We use this type of code after Forms authentication

Before it we have to declare connectionstring in web.config like this:

Obviously the connectionstrings will be changed accordingly.
Using this we can take aspnetdb.mdf to App_Data folder and moreover add other tables accordingly.
It is neccessary as there are some hosting companies who do not allow more than one database.