Two Quick Ways to Perform ASP.NET Authentication

Authentication is the process of validating a user based on a set of credentials such as username, password, and e-mail address. Suppose you own a small Web development company that uses ASP.NET, and you want to give your users a secured area from where they can download or view additional resources such as tutorials. You would have to store crucial user data such as usernames and passwords (preferably in a database such as Microsoft Access or SQL Server) and then authenticate users based on those credentials with a help of the relevant ASP.NET code. This process involves a huge amount of work for developers, including such tasks as creating tables, stored procedures, and so on.

ASP.NET offers simpler ways to validate users—with little work required. By applying ASP.NET programming logic, you can store user data in XML files and then validate users by using those files. If you have a limited number of users, you can store the credentials in a Web configuration file (Web.Config) instead. This article shows you how to apply ASP.NET user authentication using either a Web.Config file or an XML file. If you haven't already, you'll need to install Microsoft's ASP.NET Web Matrix, a free editor available for download from http://www.asp.net.

Authenticating Users Using a Web.Config File

Web.Config is the main configuration file that ASP.NET applications use for storing global parameters such as connection strings for databases, passwords, and so forth. You should save this file inside the root directory of your ASP.NET application. To perform authentication using the Web.Config file, you need to create a file as shown in Listing 1.1:

Listing 1.1 Web.Config

<configuration>
<system.web>
<authentication mode = "Forms">
<forms>
    <credentials passwordFormat = "Clear">
    <user name ="abc" password = "123"/>
    </credentials>
</forms>
</authentication>
    <authorization>
    <deny users = "?"/>
    </authorization>
</system.web>
</configuration>

The usernames and passwords should be supplied inside the credentials tag, and the authentication mode should be set to Forms. The contents of Listing 1.1 are case sensitive and should be entered as shown. Further, the authorization section denies access to all anonymous users. Hence, only users whose credentials match those given in the Web.Config file can access the relevant Web page. The following table shows different kinds of tags and symbols you can use inside the authorization tag and their meanings.

Tag Meaning
<deny users = "?"/> Denies access to all anonymous users
<deny users = "*"/> Denies access to both anonymous and authenticated users
<allow users = "?"/> Allows access to all anonymous users
<allow users = "*"/> Allows access to both anonymous and authenticated users

The next step is to create an ASP.NET page that contains the real code for verifying a user. Listing 1.2 is a sample code snippet:

Listing 1.2 Login.aspx

if IsValid then
  if FormsAuthentication.Authenticate(txtUsername.Text,
                                      txtPassword.Text) Then
  lblStatus.Text = "Username and Passwords are correct"
else
  lblStatus.Text = "Invalid Username and Passwords"
  end if
end if

This code uses the Authenticate method of the FormsAuthentication class to validate a user. The Authenticate method takes the corresponding text fields as parameters. If the entered data is incorrect, it executes the statement inside the else part. You also can redirect a user to another Web site if the entered data is correct by slightly modifying Listing 1.2 to the code shown in Listing 1.3:

Listing 1.3

if IsValid then
  if FormsAuthentication.Authenticate(txtUsername.Text,
                                      txtPassword.Text) Then
  Response.Redirect("http://www.developer.com")
else
  lblStatus.Text = "Invalid Username and Passwords"
  end if
end if
Authentication means validating a user based on a set of credentials, such as e-mail, username, and password. Authorization occurs after authentication. Authorization requires specifying access restrictions and permissions for your users. Hence, these terms are different but interrelated.

Authenticating Users Using an XML File

Even though you can easily authenticate users by using a Web.Config file, it is not advisable for sites with a large number of users. It is also very difficult to implement an automated system that directly adds users to the Web.Config file. A Web developer should manually add new usernames and passwords to the file for each new user. To avoid this hassle, ASP.NET provides a facility for authenticating users by using an XML file. For this purpose, you have to create both a Web.Config file (Listing 1.4) and an XML file (Listing 1.5):

Listing 1.4 Web.Config

<configuration>
<system.web>
<authentication mode = "Forms">
<authorization>
<deny users = "?"/>
</authorization>
</system.web>
</configuration>

Listing 1.5 pwd.xml

<passwordlist>
<user>
   <name>bob</name>
   <pwd>123</pwd>
</user>

<user>
   <name>mark</name>
   <pwd>456</pwd>
</user>

<user>
   <name>peter</name>
   <pwd>789</pwd>
</user>

</passwordlist>
XML is a case-sensitive language.

The next step is to create an ASP.NET page. Because it has to check two credentials (username and password), you have to add two TextBox controls and a Button control to the form. Double-click the button control and add the code given in Listing 1.6:

Listing 1.6

If IsValid then
   If XMLAuthentication(txtUsername.Text,txtPassword.Text) Then
   Response.Redirect("http://www.developer.com")
   End If
End If

Listing 1.6 passes the two control IDs as parameters to the XMLAuthentication method. This method will contain the real code to authenticate users from your XML file. Further, if the username and password match with that of the XML file, the user will be redirected to the developer.com home page. The source code for this method is given in Listing 1.7:

Listing 1.7

   Dim dstPwd as DataSet
   Dim dtblPwd as DataTable

   Dim users() as DataRow
   dstPwd = New DataSet()
   dstPwd.ReadXML(MapPath("Pwd.xml"))

   dtblPwd = dstPwd.Tables(0)
   users = dtblPwd.Select("name = '"& strUsername & "' ")

   if users.Length > 0 Then
   if users(0)("pwd") = strPwd Then
   Return True
   Else
   lblStatus.Text = "Invalid Password"
   End If
   Else
   lblStatus.Text = "Username does not exist"
   End If
   Return False
   End Function

In Listing 1.7, the XML file is loaded by using the built-in ReadXML() method, and the XMLAuthentication method checks both the username and password. The method displays the relevant messages in the label control.



About the Author

Anand Narayanaswamy

Anand Narayanaswamy (Microsoft MVP) is a freelance writer for Developer.com and Codeguru.com. He works as an independent consultant and runs NetAns Technologies (http://www.netans.com)which provides affordable web hosting services. He is the author of Community Server Quickly (http://www.packtpub.com/community-server/book). Anand also runs LearnXpress.com (http://www.learnXpress.com) and Dotnetalbum.com (http://www.dotnetalbum.com) and regularly contributes product and book reviews for various websites. He can be reached at ananddotnet@yahoo.co.in

Downloads

Comments

  • Nice one!

    Posted by nnaga on 06/08/2004 09:15am

    very logical and easy to understand.

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • On-demand Event Event Date: September 10, 2014 Modern mobile applications connect systems-of-engagement (mobile apps) with systems-of-record (traditional IT) to deliver new and innovative business value. But the lifecycle for development of mobile apps is also new and different. Emerging trends in mobile development call for faster delivery of incremental features, coupled with feedback from the users of the app "in the wild." This loop of continuous delivery and continuous feedback is how the best mobile …

  • The explosion in mobile devices and applications has generated a great deal of interest in APIs. Today's businesses are under increased pressure to make it easy to build apps, supply tools to help developers work more quickly, and deploy operational analytics so they can track users, developers, application performance, and more. Apigee Edge provides comprehensive API delivery tools and both operational and business-level analytics in an integrated platform. It is available as on-premise software or through …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds