Application Security Testing: An Integral Part of DevOps
Authentication is a critical aspect of Web development. Developers are always on the lookout for easier ways to implement an effective authentication system on their Web pages. With ASP.NET 1.1, developers have to write lengthy code to authenticate users from a database. They also can validate user credentials using an XML file, but that is not a secure solution. Moreover, Visual Studio .NET 2003 doesn't provide any built-in controls for performing authentication functionalities.
ASP.NET 2.0 moves authentication one step forward. It provides new classes, methods, and controls for implementing authentication in an easy manner. This article demonstrates how to apply the functionalities of the Membership class into ASP.NET applications. This class provides several methods that you can use to create, delete, and validate users. Moreover, you can combine its methods with the built-in ASP.NET security controls that ship with Visual Studio 2005 (aka Whidbey). This article briefly examines these controls as well.
Create New Users
You can create new users easily by using the CreateUser() method (See Table 1).
|CreateUser(Username, Password)||Creates a new user with the specified username and password.|
|CreateUser(Username, Password, Email)||Creates a new user with the specified username, password, and e-mail.|
Table 1. Creating a New User with the CreateUser() Method
When you create a new user in an ASP.NET project using Visual Studio 2005, it creates an MS Access database called ASPNETDB.mdb by default and stores the relevant user data (username, password, and e-mail address) in it. Listing 1 shows how to create a new user using the Membership class. (Before working with the code, you should place two textboxes, one button, and the required label controls on the form.)
Listing 1. Create a new user using the Membership class
Try Membership.CreateUser(txtUsername.Text, txtPassword.Text) lblStatus.Text = "User " & txtUsername.Text & " Successfully Created" Catch ex As MembershipCreateUserException lblStatus.Text = ex.ToString() End Try
If you attempt to add the same user again, ASP.NET automatically throws an exception and displays the relevant message on the label control. In older versions of ASP.NET, you have to write lengthy code to do this task.
You easily can verify the status of a user by using the ValidateUser() method of the Membership class. After you have verified the user, you can redirect him or her to another Web page or elsewhere, depending upon your requirements. Listing 2 shows the code for authenticating users using Visual Studio 2005.
Listing 2. Authenticating users using Visual Studio 2005
If (Membership.ValidateUser(txtUsername.Text, txtPassword.Text)) Then lblMessage.Text = "You are now authorized by the system" Else lblMessage.Text = "You are not an authorized user" End If
As you can see, you need only a minimal amount of code to achieve various authentication tasks in Visual Studio 2005. You can also modify the above code to redirect users to some other Web page upon successful authorization.
Display Current User
You also can display a stamp on the top of every page with the name of the logged user after every successful login. You can easily achieve this functionality by using the GetUser() method (See Listing 3).
Listing 3. Display stamp of logged user's name on every page
Dim usrUser As MembershipUser usrUser = Membership.GetUser(True) lblUserstatus.Text = usrUser.Username
Display All Users
With ASP.NET 2.0, you can produce a list of all registered users for your internal use on the fly. Just use the GetAllUsers() method of the Membership class (See Listing 4 and Figure 1).
Listing 4. Produce list of all registered users
'Users is the ID for the GridView control Users.DataSource = Membership.GetAllUsers() Users.DataBind()
Figure 1. List of all users in GridView
You can delete a user from the database by using the DeleteUser() method of the Membership class. First, you should verify whether that particular user exists on the database (See Listing 5).
Listing 5. Verify whether user exists
If (Membership.DeleteUser(txtDelete.Text)) Then lblStatus.Text = "Username " & txtDelete.Text & " successfully deleted from the database" Else lblStatus.Text = "Username does not exist or wrong username" End If