Chapter 8

This section of the machine.config file shows the two default membership providers that come with ASP.NET 2.0 — the AspNetSqlProvider and the AspNetAccessProvider. In the <membership> element at the top of the code snippet, you see that the AspNetAccessProvider is the default provider and is the second provider detailed.

The important attributes of the AspNetAccessProvider definition include the enablePasswordRetrieval, enablePasswordReset, requiresQuestionAndAnswer, requiresUniqueEmail, and PasswordFormat attributes. The following table defines these attributes.

Asking for credentials

After you have users that can access your Web application using the new membership service provided by ASP.NET 2.0, you can then give these users the means to log into the site. This requires little work on your part. Before you learn the controls that enable users to access your applications, first you should make a few more modifications to the web.config file.

Turning off access with the <authorization> element

After you make the changes to the web.config file by adding the <authorization> and <forms> elements (Listings 8-1 and 8-2), your Web application is accessible to each and every user that browses to any page your application contains. To prevent open access, you have to deny unauthenticated users access to the pages of your site.

236

Membership and Role Management

Denying unauthenticated users access to your site is illustrated in Listing 8-8.

Listing 8-8: Denying unauthenticated users

<?xml version=”1.0” encoding=”utf-8”?> <configuration>

<system.web>

<authentication mode=”Forms” /> <authorization>

<deny users=”?” /> </authorization>

</system.web>

</configuration>

Using the <authentication> and <deny> elements, you can deny specific users access to your Web application — or (as in this case) simply deny every unauthenticated user (this is what the question mark signifies).

Now that everyone but authenticated users has been denied access to the site, you want to make it easy for viewers of your application to become authenticated users. To do so, use the Login server control.

Using the Login server control

The Login server control enables you to turn unauthenticated users into authenticated users by allowing them to provide login credentials that can be verified in a data store of some kind. In the examples so far, you have used Microsoft Access as the data store.

The first step in using the Login control is to create a new Web page titled Login.aspx. This is the default page to which unauthenticated users are redirected in order to obtain their credentials.

The Login.aspx page simply needs an <asp:Login> control to give the end user everything she needs to become authenticated, as illustrated in Listing 8-9.

Listing 8-9: Providing a login for the end user using the Login control

<%@ Page Language=”VB” %>

<html xmlns=”http://www.w3.org/1999/xhtml” > <head runat=”server”>

<title>Login Page</title> </head>

<body>

<form id=”form1” runat=”server”> <asp:Login ID=”Login1” Runat=”server”> </asp:Login>

</form>

</body>

</html>

If the unauthenticated user hits a different page in the application, she is redirected to the Login.aspx page. You can see how ASP.NET tracks the location from the URL:

http://localhost:18436/Membership/login.aspx?ReturnUrl=%2fMembership%2fDefault.aspx

237

Chapter 8

The login page, using the Login control, is shown in Figure 8-5.

Figure 8-5

From this figure, you can see that the Login control asks the user for a username and password. A check box allows for a cookie to be stored on the client machine. This cookie enables the end user to bypass login in the future. After she is logged in, the end user is returned to the page she originally wanted to access.

You can modify the look and feel of the Login control just as you can for the other controls. One way to do this is by clicking the Auto Format link in the control’s smart tag. There you find a list of options for modifying the look and feel of the control (see Figure 8-6).

Figure 8-6

Select the Elegant option, for example, and the code is modified. Listing 8-10 shows the code generated for this selection.

238

Membership and Role Management

Listing 8-10: A formatted Login control

<asp:Login ID=”Login1” Runat=”server” BorderWidth=”1px” BorderColor=”#CCCC99” BorderPadding=”0” BorderStyle=”Solid” BackColor=”#F7F7DE” Font-Names=”Verdana” Font-Size=”10pt”>

<InstructionTextStyle Font-Italic=”False”></InstructionTextStyle> <TitleTextStyle Font-Bold=”True” BackColor=”#6B696B” ForeColor=”#FFFFFF”></TitleTextStyle>

</asp:Login>

From this listing, you can see that the <InstructionTextStyle> and the <TitleTextStyle> subelements are used to modify those particular items displayed by the control. The available styling elements that are included with the Login control include

<CheckboxStyle>

<FailureTextStyle>

<HyperLinkStyle>

<InstructionTextStyle>

<LabelStyle>

<SubmitButtonStyle>

<TextBoxStyle>

<TitleTextStyle>

Logging in users programmatically

Besides using the prebuilt mechanics of the Login control, you can also perform this task programmatically using the Membership API. To validate credentials that you receive, you use the ValidateUser method. The ValidateUser method takes a single signature:

ValidateUser(username As String, password As String)

This method is illustrated in Listing 8-11.

Listing 8-11: Validating a user’s credentials programmatically

VB

If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) Then

FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, False)

Else

Label1.Text = “You are not registered with the site.”

End If

C#

if (Membership.ValidateUser(TextBox1.Text.ToString(), TextBox2.Text.ToString()) { FormsAuthentication.RedirectFromLoginPage(TextBox1.Text.ToString(), false);

}

else {

Label1.Text = “You are not registered with the site.”;

}

239