Microsoft & .NETASPASP.NET 2.0 Moves User Authentication One Step Forward

ASP.NET 2.0 Moves User Authentication One Step Forward content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Authentication is a critical aspect of Web development. Developers are always on the lookout for easier ways to implement an effective authentication system on their Web pages. With ASP.NET 1.1, developers have to write lengthy code to authenticate users from a database. They also can validate user credentials using an XML file, but that is not a secure solution. Moreover, Visual Studio .NET 2003 doesn’t provide any built-in controls for performing authentication functionalities.

ASP.NET 2.0 moves authentication one step forward. It provides new classes, methods, and controls for implementing authentication in an easy manner. This article demonstrates how to apply the functionalities of the Membership class into ASP.NET applications. This class provides several methods that you can use to create, delete, and validate users. Moreover, you can combine its methods with the built-in ASP.NET security controls that ship with Visual Studio 2005 (aka Whidbey). This article briefly examines these controls as well.

Create New Users

You can create new users easily by using the CreateUser() method (See Table 1).

Syntax Description
CreateUser(Username, Password) Creates a new user with the specified username and password.
CreateUser(Username, Password, Email) Creates a new user with the specified username, password, and e-mail.

Table 1. Creating a New User with the CreateUser() Method

When you create a new user in an ASP.NET project using Visual Studio 2005, it creates an MS Access database called ASPNETDB.mdb by default and stores the relevant user data (username, password, and e-mail address) in it. Listing 1 shows how to create a new user using the Membership class. (Before working with the code, you should place two textboxes, one button, and the required label controls on the form.)

Listing 1. Create a new user using the Membership class

   Membership.CreateUser(txtUsername.Text, txtPassword.Text)
   lblStatus.Text = "User " & txtUsername.Text &
                    "  Successfully Created"
Catch ex As MembershipCreateUserException
   lblStatus.Text = ex.ToString()
End Try

If you attempt to add the same user again, ASP.NET automatically throws an exception and displays the relevant message on the label control. In older versions of ASP.NET, you have to write lengthy code to do this task.

Authenticate Users

You easily can verify the status of a user by using the ValidateUser() method of the Membership class. After you have verified the user, you can redirect him or her to another Web page or elsewhere, depending upon your requirements. Listing 2 shows the code for authenticating users using Visual Studio 2005.

Listing 2. Authenticating users using Visual Studio 2005

If (Membership.ValidateUser(txtUsername.Text, txtPassword.Text)) Then
   lblMessage.Text = "You are now authorized by the system"
   lblMessage.Text = "You are not an authorized user"
End If

As you can see, you need only a minimal amount of code to achieve various authentication tasks in Visual Studio 2005. You can also modify the above code to redirect users to some other Web page upon successful authorization.

Display Current User

You also can display a stamp on the top of every page with the name of the logged user after every successful login. You can easily achieve this functionality by using the GetUser() method (See Listing 3).

Listing 3. Display stamp of logged user’s name on every page

Dim usrUser As MembershipUser
usrUser = Membership.GetUser(True)
lblUserstatus.Text = usrUser.Username

Display All Users

With ASP.NET 2.0, you can produce a list of all registered users for your internal use on the fly. Just use the GetAllUsers() method of the Membership class (See Listing 4 and Figure 1).

Listing 4. Produce list of all registered users

'Users is the ID for the GridView control
Users.DataSource = Membership.GetAllUsers()

Figure 1. List of all users in GridView

Delete Users

You can delete a user from the database by using the DeleteUser() method of the Membership class. First, you should verify whether that particular user exists on the database (See Listing 5).

Listing 5. Verify whether user exists

If (Membership.DeleteUser(txtDelete.Text)) Then
   lblStatus.Text = "Username " & txtDelete.Text &
                    " successfully deleted from the database"
   lblStatus.Text = "Username does not exist or wrong username"
End If

Update the Password

Registered users can modify their passwords easily by using the ChangePassword() method of the Membership class. This method accepts two parameters, such as old password and new password (See Listing 6).

Listing 6. Users can modify their passwords

Dim users as Membership User
users = Membership.GetUser()
users.ChangePassword(txtOldPass.Text, txtNewPass.Text)

Each time you update a password, you must call the UpdateUser() method. You also can modify the password’s question and answer by using the ChangePasswordQuestionAndAnswer() method.

Whidbey’s Built-in ASP.NET Security Controls

Visual Studio 2005 ships with built-in server controls such as Login, Login Status, and so forth. These controls automatically perform all the important functionalities associated with authentication using minimal code. You easily can implement and customize them (see Figures 2 and 3) by selecting the appropriate options from the Properties window. For instance, the Login control calls the ValidateUser() method of the Membership class. If the user’s credentials are correct, it calls the FormsAuthentication.RedirectFromLoginPage method, issues a cookie, and redirects the user to the original page from where they came.

Figure 2. Login Control, Before Customization

Figure 3. Login Control, After Customization

A complete discussion of all security server controls is outside the scope of this article. Check out MSDN’s documentation for additional information regarding these controls.

About the Author

Anand Narayanaswamy (Microsoft MVP) works as an independent consultant and runs NetAns Technologies (, which provides affordable Web hosting services for the community. Anand also runs (, (, and ( Anand regularly contributes articles and product and book reviews for various Web sites. He can be reached at

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories