Authentication is the process of validating a user based on a set of credentials such as username, password, and e-mail address. Suppose you own a small Web development company that uses ASP.NET, and you want to give your users a secured area from where they can download or view additional resources such as tutorials. You would have to store crucial user data such as usernames and passwords (preferably in a database such as Microsoft Access or SQL Server) and then authenticate users based on those credentials with a help of the relevant ASP.NET code. This process involves a huge amount of work for developers, including such tasks as creating tables, stored procedures, and so on.
ASP.NET offers simpler ways to validate users—with little work required. By applying ASP.NET programming logic, you can store user data in XML files and then validate users using those files. If you have a limited number of users, you can store the credentials in a Web configuration file (Web.Config) instead. This article shows you how to apply ASP.NET user authentication using either a Web.Config file or an XML file. If you haven't already, you'll need to install Microsoft's ASP.NET Web Matrix, a free editor available for download from http://www.asp.net.
Authenticating Users Using a Web.Config File
Web.Config is the main configuration file that ASP.NET applications use for storing global parameters such as connection strings for databases, passwords, and so forth. You should save this file inside the root directory of your ASP.NET application. To perform authentication using the Web.Config file, you need to create a file as shown in Listing 1.1:
Listing 1.1 Web.Config
<configuration> <system.web> <authentication mode = "Forms"> <forms> <credentials passwordFormat = "Clear"> <user name ="abc" password = "123"/> </credentials> </forms> </authentication> <authorization> <deny users = "?"/> </authorization> </system.web> </configuration>
The usernames and passwords should be supplied inside the credentials tag, and the authentication mode should be set to Forms. The contents of Listing 1.1 are case sensitive and should be entered as shown. Further, the authorization section denies access to all anonymous users. Hence, only users whose credentials match those given in the Web.Config file can access the relevant Web page. The following table shows different kinds of tags and symbols you can use inside the authorization tag and their meanings.
|<deny users = "?"/>||Denies access to all anonymous users|
|<deny users = "*"/>||Denies access to both anonymous and authenticated users|
|<allow users = "?"/>||Allows access to all anonymous users|
|<allow users = "*"/>||Allows access to both anonymous and authenticated users|
The next step is to create an ASP.NET page that contains the real code for verifying a user. Listing 1.2 is a sample code snippet:
Listing 1.2 Login.aspx
if IsValid then if FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text) Then lblStatus.Text = "Username and Passwords are correct" else lblStatus.Text = "Invalid Username and Passwords" end if end if
This code uses the Authenticate method of the FormsAuthentication class to validate a user. The Authenticate method takes the corresponding text fields as parameters. If the entered data is incorrect, it executes the statement inside the else part. You can also redirect a user to another Web site if the entered data is correct by slightly modifying Listing 1.2 to the code shown in Listing 1.3:
if IsValid then if FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text) Then Response.Redirect("http://www.developer.com") else lblStatus.Text = "Invalid Username and Passwords" end if end if
|Authentication means validating a user based on a set of credentials, such as e-mail, username, and password. Authorization occurs after authentication. Authorization requires specifying access restrictions and permissions for your users. Hence, these terms are different but interrelated.|