Authentication is a critical aspect of Web development. Developers are always on the lookout for easier ways to implement an effective authentication system on their Web pages. With ASP.NET 1.1, developers have to write lengthy code to authenticate users from a database. They also can validate user credentials using an XML file, but that is not a secure solution. Moreover, Visual Studio .NET 2003 doesn’t provide any built-in controls for performing authentication functionalities.
ASP.NET 2.0 moves authentication one step forward. It provides new classes, methods, and controls for implementing authentication in an easy manner. This article demonstrates how to apply the functionalities of the Membership class into ASP.NET applications. This class provides several methods that you can use to create, delete, and validate users. Moreover, you can combine its methods with the built-in ASP.NET security controls that ship with Visual Studio 2005 (aka Whidbey). This article briefly examines these controls as well.
Create New Users
You can create new users easily by using the CreateUser() method (See Table 1).
Syntax | Description |
CreateUser(Username, Password) | Creates a new user with the specified username and password. |
CreateUser(Username, Password, Email) | Creates a new user with the specified username, password, and e-mail. |
Table 1. Creating a New User with the CreateUser() Method
When you create a new user in an ASP.NET project using Visual Studio 2005, it creates an MS Access database called ASPNETDB.mdb by default and stores the relevant user data (username, password, and e-mail address) in it. Listing 1 shows how to create a new user using the Membership class. (Before working with the code, you should place two textboxes, one button, and the required label controls on the form.)
Listing 1. Create a new user using the Membership class
Try Membership.CreateUser(txtUsername.Text, txtPassword.Text) lblStatus.Text = "User " & txtUsername.Text & " Successfully Created" Catch ex As MembershipCreateUserException lblStatus.Text = ex.ToString() End Try
If you attempt to add the same user again, ASP.NET automatically throws an exception and displays the relevant message on the label control. In older versions of ASP.NET, you have to write lengthy code to do this task.
Authenticate Users
You easily can verify the status of a user by using the ValidateUser() method of the Membership class. After you have verified the user, you can redirect him or her to another Web page or elsewhere, depending upon your requirements. Listing 2 shows the code for authenticating users using Visual Studio 2005.
Listing 2. Authenticating users using Visual Studio 2005
If (Membership.ValidateUser(txtUsername.Text, txtPassword.Text)) Then lblMessage.Text = "You are now authorized by the system" Else lblMessage.Text = "You are not an authorized user" End If
As you can see, you need only a minimal amount of code to achieve various authentication tasks in Visual Studio 2005. You can also modify the above code to redirect users to some other Web page upon successful authorization.
Display Current User
You also can display a stamp on the top of every page with the name of the logged user after every successful login. You can easily achieve this functionality by using the GetUser() method (See Listing 3).
Listing 3. Display stamp of logged user’s name on every page
Dim usrUser As MembershipUser usrUser = Membership.GetUser(True) lblUserstatus.Text = usrUser.Username
Display All Users
With ASP.NET 2.0, you can produce a list of all registered users for your internal use on the fly. Just use the GetAllUsers() method of the Membership class (See Listing 4 and Figure 1).
Listing 4. Produce list of all registered users
'Users is the ID for the GridView control Users.DataSource = Membership.GetAllUsers() Users.DataBind()
Figure 1. List of all users in GridView
Delete Users
You can delete a user from the database by using the DeleteUser() method of the Membership class. First, you should verify whether that particular user exists on the database (See Listing 5).
Listing 5. Verify whether user exists
If (Membership.DeleteUser(txtDelete.Text)) Then lblStatus.Text = "Username " & txtDelete.Text & " successfully deleted from the database" Else lblStatus.Text = "Username does not exist or wrong username" End If
Update the Password
Registered users can modify their passwords easily by using the ChangePassword() method of the Membership class. This method accepts two parameters, such as old password and new password (See Listing 6).
Listing 6. Users can modify their passwords
Dim users as Membership User users = Membership.GetUser() users.ChangePassword(txtOldPass.Text, txtNewPass.Text) Membership.UpdateUser()
Each time you update a password, you must call the UpdateUser() method. You also can modify the password’s question and answer by using the ChangePasswordQuestionAndAnswer() method.
Whidbey’s Built-in ASP.NET Security Controls
Visual Studio 2005 ships with built-in server controls such as Login, Login Status, and so forth. These controls automatically perform all the important functionalities associated with authentication using minimal code. You easily can implement and customize them (see Figures 2 and 3) by selecting the appropriate options from the Properties window. For instance, the Login control calls the ValidateUser() method of the Membership class. If the user’s credentials are correct, it calls the FormsAuthentication.RedirectFromLoginPage method, issues a cookie, and redirects the user to the original page from where they came.
Figure 2. Login Control, Before Customization
Figure 3. Login Control, After Customization
A complete discussion of all security server controls is outside the scope of this article. Check out MSDN’s documentation for additional information regarding these controls.
About the Author
Anand Narayanaswamy (Microsoft MVP) works as an independent consultant and runs NetAns Technologies (http://www.netans.com), which provides affordable Web hosting services for the community. Anand also runs LearnXpress.com (http://www.learnXpress.com), Dotnetalbum.com (http://www.dotnetalbum.com), and Csharpfaq.com (http://www.csharpfaq.com). Anand regularly contributes articles and product and book reviews for various Web sites. He can be reached at ananddotnet@yahoo.co.in.