March 5, 2021
Hot Topics:

ASP.NET Secrets, Part 3

  • By Karl Moore
  • Send Email »
  • More Articles »


Welcome to the third part of ASP.NET Secrets!

I'm Karl Moore and today, once again, we're exploring even more chunks of code to put your Web applications into sixth gear. In this article, we'll check out:

  • Four Steps to ASP.NET Authentication
  • How to Authenticate Just Part of Your Site
  • The Best Place to Store Your Settings
  • Steal Fantastic Forum Code from Microsoft and Save Yourself Hours!

And they've all been inspired by the mass of tips, tricks, and little-known .NET techniques shared in my latest book, VB.NET and ASP.NET Secrets. Make sure you pick up your copy—it makes a great reference tool.

Plus, fancy contributing to this series? I'd love to hear all about your favorite .NET tips and tricks. Simply send them to me—karl@karlmoore.com—and I'll publish the best, full credit given.

But enough of that. And more of this... the secrets!

Four Steps to ASP.NET Authentication

If you've created a Web application in Visual Studio .NET, you should be aware that, by default, anyone can access your pages. However, there is a way to keep nosy, unwanted types out—by using authentication.

ASP.NET includes support for three core types of authentication: Windows, which only allows certain Windows accounts access to a page; Passport, which uses the Microsoft Passport universal login system to verify a user; and Forms, the most popular method of authentication, which we'll be covering here.

When a user attempts to access a page that uses Forms authentication, they get redirected to a login screen. From here, your surfer can provide a username and password. You then validate the credentials and grant or deny access to your pages accordingly.

Want to set up ASP.NET Forms authentication? Just follow my five quick and easy steps:

  1. Open the Web.config file in your Solution. This stores a number of settings for your Web application. Edit the <authentication> elements, so it reads something like the following (alter usernames and passwords as appropriate—and watch both your casing and spacing). This provides your application with a list of valid users:

      <authentication mode="Forms">
          <credentials passwordFormat="Clear">
            <user name="test1" password="password" />
            <user name="test2" password="password" />
  2. Still in the Web.config file, remove the <allow users="*" /> line from within the <authorization> element. This line grants access to anyone—and we've just erased it.

  3. Still within the <authorization> element, add the following line to deny access to all unknown users (that is, those not authenticated):

    <deny users="?" />
  4. Create a page called "login.aspx". By default, all unauthenticated users will be redirected to this page. Add TextBox controls (txtUsername and txtPassword) for your browser to supply credentials. Also, add a CheckBox (chkPersist) to be used if the user wants their machine to automatically log them in next time.

  5. Behind a Login button on your login.aspx page, add code similar to the following to authenticate your user:

    If System.Web.Security.FormsAuthentication.Authenticate( _
       txtUsername.Text, txtPassword.Text) = True Then
       System.Web.Security.FormsAuthentication.Redirect _
                           FromLoginPage( _
         txtUsername.Text, chkPersist.Checked)
       Response.Write("Invalid credentials - go back and try _
    End If

And that's it! Now, whenever a user visits a page in your application—and they're unauthenticated—they'll be redirected to login.aspx. From there, they'll be able to provide credentials. The .Authenticate method attempts to match these with a valid username and password combination in Web.config. If the credentials are invalid, a generic error message is displayed. If everything is fine, the .RedirectFromLoginPage method runs, taking the username and whether the login 'persists' (ie, is remembered by the computer between sessions) as arguments, then sends the user back to their initially requested page.

After this, whenever you need to refer back to the username, simply check out the User.Identity.Name property. And when the user requests to explicitly log out, run code similar to the following:

Top Tip: If you don't want to use login.aspx as your login form, you can change the page by adding a loginUrl attribute to the <forms> element of your Web.config file. For example, the following tag makes myloginpage.aspx the default login page: <forms loginUrl="myloginpage.aspx" />.

Caption: Authentication kicking in as I tried to access a restricted page

Page 1 of 4

This article was originally published on March 26, 2003

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date