DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 308157 - Last Review: October 16, 2012 - Revision: 9.0

This article was previously published under Q308157

On This Page

Summary

This article demonstrates how to implement forms-based authentication by using a database to store the users.

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:
  • Microsoft Visual Studio .NET
  • Microsoft SQL Server
  • Microsoft Internet Information Services (IIS) version 5.0 or later

Create an ASP.NET Application Using Visual Basic .NET

  1. Open Visual Studio .NET.
  2. Create a new ASP.NET Web Application, and specify the name and location.

Configure the Security Settings in the Web.config File

This section demonstrates how to add and modify the <authentication> and <authorization> configuration sections to configure the ASP.NET application to use forms-based authentication.
  1. In Solution Explorer, open the Web.config file.
  2. Change the authentication mode to Forms.
  3. Insert the <Forms> tag, and fill in the appropriate attributes. (For more information about these attributes, refer to the MSDN documentation or the QuickStart documentation that is listed in the REFERENCES section.) Copy the following code, and then click Paste as HTML on the Edit menu to paste the code in the <authentication> section of the file:
    <authentication mode="Forms">
    	<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx" 
    	protection="All" path="/" timeout="30" />
    </authentication>
    					
  4. Deny access to the anonymous user in the <authorization> section as follows:
    <authorization>
    	<deny users ="?" />
    	<allow users = "*" />
    </authorization>
    					

Create a Sample Database Table to Store Users Details

This section demonstrates how to create a sample database to store the user name, password, and role for the users. You need the role column if you want to store user roles in the database and implement role-based security.
  1. From the Windows Start menu, click Run, and then type notepad to open Notepad.
  2. Highlight the following SQL script code, right-click the code, and then click Copy. In Notepad, click Paste on the Edit menu to paste the following code:
    if exists (select * from sysobjects where id = 
    object_id(N'[dbo].[Users]') and OBJECTPROPERTY(id, N'IsUserTable') = 1)
    drop table [dbo].[Users]
    GO
    CREATE TABLE [dbo].[Users] (
    	[uname] [varchar] (15) NOT NULL ,
    	[Pwd] [varchar] (25) NOT NULL ,
    	[userRole] [varchar] (25) NOT NULL ,
    ) ON [PRIMARY]
    GO
    ALTER TABLE [dbo].[Users] WITH NOCHECK ADD 
    	CONSTRAINT [PK_Users] PRIMARY KEY  NONCLUSTERED 
    	(
    		[uname]
    	)  ON [PRIMARY] 
    GO
    
    INSERT INTO Users values('user1','user1','Manager')
    INSERT INTO Users values('user2','user2','Admin')
    INSERT INTO Users values('user3','user3','User')
    GO
    					
  3. Save the file as Users.sql.
  4. On the Microsoft SQL Server computer, open Users.sql in Query Analyzer. From the list of databases, click pubs, and run the script. This creates a sample users table and populates the table in the Pubs database to be used with this sample application.

Create a Logon.aspx Page

  1. Add a new Web Form to the project named Logon.aspx.
  2. Open the Logon.aspx page in the editor, and switch to HTML view.
  3. Copy the following code, and use the Paste as HTML option on the Edit menu to insert the code between the <form> tags:
    <h3>
       <font face="Verdana">Logon Page</font>
    </h3>
    <table>
       <tr>
          <td>Email:</td>
          <td><input id="txtUserName" type="text" runat="server"></td>
          <td><ASP:RequiredFieldValidator ControlToValidate="txtUserName"
               Display="Static" ErrorMessage="*" runat="server" 
               ID="vUserName" /></td>
       </tr>
       <tr>
          <td>Password:</td>
          <td><input id="txtUserPass" type="password" runat="server"></td>
          <td><ASP:RequiredFieldValidator ControlToValidate="txtUserPass"
              Display="Static" ErrorMessage="*" runat="server" 
              ID="vUserPass" />
          </td>
       </tr>
       <tr>
          <td>Persistent Cookie:</td>
          <td><ASP:CheckBox id="chkPersistCookie" runat="server" autopostback="false" /></td>
          <td></td>
       </tr>
    </table>
    <input type="submit" Value="Logon" runat="server" ID="cmdLogin"><p></p>
    <asp:Label id="lblMsg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat="server" />
    						
    This Web Form is used to present a logon form to users so that they can provide their user name and password to log on to the application.
  4. Switch to Design view, and save the page.

Code the Event Handler So That It Validates the User Credentials

This section presents the code that is placed in the code-behind page (Logon.aspx.vb).
  1. Open the Logon.aspx.vb file.
  2. Import the required namespaces in the code-behind file:
    Imports System.Data.SqlClient
    Imports System.Web.Security
    					
  3. Create a ValidateUser function to validate the user credentials by looking in the database. (Make sure that you change the Connection string to point to your database.)
    Private Function ValidateUser(ByVal userName As String, ByVal passWord As String) As Boolean
            Dim conn As SqlConnection
            Dim cmd As SqlCommand
            Dim lookupPassword As String
    
            lookupPassword = Nothing
    
            ' Check for an invalid userName.
            ' userName  must not be set to nothing and must be between one and 15 characters.
            If ((userName Is Nothing)) Then
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.")
                Return False
            End If
            If ((userName.Length = 0) Or (userName.Length > 15)) Then
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.")
                Return False
            End If
    
            ' Check for invalid passWord.
            ' passWord must not be set to nothing and must be between one and 25 characters.
            If (passWord Is Nothing) Then
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.")
                Return False
            End If
            If ((passWord.Length = 0) Or (passWord.Length > 25)) Then
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.")
                Return False
            End If
    
            Try
                ' Consult with your SQL Server administrator for an appropriate connection
                ' string to use to connect to your local SQL Server.
                conn = New SqlConnection("server=localhost;Integrated Security=SSPI;database=pubs")
                conn.Open()
    
                ' Create SqlCommand to select pwd field from the users table given a supplied userName.
                cmd = New SqlCommand("Select pwd from users where uname=@userName", conn)
                cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25)
                cmd.Parameters("@userName").Value = userName
    
    
                ' Execute command and fetch pwd field into lookupPassword string.
                lookupPassword = cmd.ExecuteScalar()
    
                ' Cleanup command and connection objects.
                cmd.Dispose()
                conn.Dispose()
            Catch ex As Exception
                ' Add error handling here for debugging.
                ' This error message should not be sent back to the caller.
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " & ex.Message)
            End Try
    
            ' If no password found, return false.
            If (lookupPassword Is Nothing) Then
                ' You could write failed login attempts here to the event log for additional security.
                Return False
            End If
    
            ' Compare lookupPassword and input passWord by using a case-sensitive comparison.
            Return (String.Compare(lookupPassword, passWord, False) = 0)
    
    End Function
    					
  4. You can use one of two methods to generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event. Sample code is provided for both scenarios. Use either of them according to your requirement.
    • Call the RedirectFromLoginPage method to automatically generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event:
      Private Sub cmdLogin_ServerClick(ByVal sender As Object, ByVal e As System.EventArgs) _
         Handles cmdLogin.ServerClick
         If ValidateUser(txtUserName.Value,txtUserPass.value) Then
            FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _
            chkPersistCookie.Checked)
         Else
            Response.Redirect("logon.aspx", True)
         End If
      End Sub
      						
    • Generate the authentication ticket, encrypt it, create a cookie, add it to the response, and redirect the user. This gives you more control in how you create the cookie. You can also include custom data along with the FormsAuthenticationTicket in this case.
      Private Sub cmdLogin_ServerClick(ByVal sender As Object, _
         ByVal e As System.EventArgs) Handles cmdLogin.ServerClick
         If Validateuser(txtUserName.Value,txtUserPass.Value) Then
            Dim tkt As FormsAuthenticationTicket
            Dim cookiestr As String
            Dim ck As HttpCookie
      
            tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(), _
      dateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data")
            cookiestr = FormsAuthentication.Encrypt(tkt)
            ck = new HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
            if (chkPersistCookie.Checked) then ck.Expires=tkt.Expiration 
            ck.Path = FormsAuthentication.FormsCookiePath() 
            Response.Cookies.Add(ck)
      
            Dim strRedirect As String
            strRedirect = Request("ReturnURL")
            If strRedirect <> "" Then
               Response.Redirect(strRedirect, True)
            Else
               strRedirect = "default.aspx"
               Response.Redirect(strRedirect, True)
            End If
         Else
            Response.Redirect("logon.aspx", True)
         End If
      End Sub
      						

Create a Default.aspx Page

This section creates a test page to which users are redirected after they authenticate. If users browse to this page without first logging on to the application, they are redirected to the logon page.
  1. Rename the existing WebForm1.aspx page as Default.aspx, and open it in the editor.
  2. Switch to HTML view, and copy the following code between the <form> tags:
    <input type="submit" Value="SignOut" runat="server" id="cmdSignOut">
    						
    This button is used to log off the forms authentication session.
  3. Switch to Design view, and save the page.
  4. Import the required namespaces in the code-behind file:
    Imports System.Web.Security
    					
  5. Open the code-behind page (Default.aspx.vb), and copy the following code in the cmdSignOut_ServerClick event handler:
    Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) _
    Handles cmdSignOut.ServerClick
       FormsAuthentication.SignOut()
       Response.Redirect("logon.aspx", True)
    End Sub
    					
  6. Save and compile the project. You can now use the application.

Troubleshooting

  • You may want to store passwords securely in a database. You can use the FormsAuthentication class utility function named HashPasswordForStoringInConfigFile to encrypt the passwords before you store them in the database or configuration file.
  • You may want to store the SQL connection information in the configuration file (Web.config) so that you can easily modify it if necessary.
  • You may consider adding code to prevent hackers who try to use different combinations of passwords from logging on. For example, you can include logic that accepts only two or three logon attempts. If the user cannot log on in a certain number of attempts, you may want to set a flag in the database to not allow that user to log on until that user re-enables his or her account by visiting a different page or by calling your support line. In addition, you should add appropriate error handling wherever necessary.
  • Because the user is identified based on the authentication cookie, you may want to use Secure Sockets Layer (SSL) on this application so that no one can retrieve the authentication cookie and any other valuable information that is being transmitted.
  • Forms-based authentication requires that your client accept or enable cookies on their browser.
  • The timeout parameter of the <authentication> configuration section controls the interval at which the authentication cookie is regenerated. You can choose a value that provides better performance and security.
  • Certain intermediary proxies and caches on the Internet may cache Web server responses that contain Set-Cookie headers, which are then returned to a different user. Because forms-based authentication uses a cookie to authenticate users, this can cause users to accidentally (or intentionally) impersonate another user by receiving a cookie from an intermediary proxy or cache that was not originally intended for them.

References

For information about implementing simple forms-based authentication by using the <credentials> section to store users and passwords, see the following article in the ASP.NET QuickStart samples:
Forms-Based Authentication
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/security/formsauth.aspx (http://quickstarts.asp.net/QuickStartv20/aspnet/doc/security/formsauth.aspx)
For information about implementing forms-based authentication by using an Extensible Markup Language (XML) file to store users and passwords, see the following topic in the .NET Framework Software Development Kit (SDK) documentation:
Forms Authentication Using An XML Users File
http://msdn2.microsoft.com/en-us/library/1b1y85bh(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/1b1y85bh(vs.71).aspx)
For more information about ASP.NET Web application security, see the following article in the .NET Framework SDK documentation:
ASP.NET Web Application Security
http://msdn2.microsoft.com/en-us/library/330a99hc(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/330a99hc(vs.71).aspx)
For more information about the System.Web.Security namespace, see the following article in the .NET Framework SDK documentation:
http://msdn2.microsoft.com/en-us/library/system.web.security(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/system.web.security(vs.71).aspx)
For more information about ASP.NET configuration, see the following .NET Framework SDK articles:
ASP.NET Configuration
http://msdn2.microsoft.com/en-us/library/aa719558(VS.71).aspx (http://msdn2.microsoft.com/en-us/library/aa719558(VS.71).aspx)

ASP.NET Configuration Sections
http://msdn2.microsoft.com/en-us/library/w7w4sb0w(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/w7w4sb0w(vs.71).aspx)
For information on ASP.NET security guidelines, see the following MSDN white paper:
Authentication in ASP.NET: .NET Security Guidance
http://msdn2.microsoft.com/en-us/library/ms978378.aspx (http://msdn2.microsoft.com/en-us/library/ms978378.aspx)
 For more information, see the following books:
Esposito, Dino. Building Web Solutions with ASP.NET and ADO.NET (http://www.microsoft.com/MSPress/books/5727.aspx) . Microsoft Press, 2001.

Howard, Michael and David LeBlanc. Writing Secure Code (http://www.microsoft.com/mspress/books/5612.aspx) . Microsoft Press, 2001.

Applies to
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
  • Microsoft Visual Basic .NET 2003 标准版
  • Microsoft Visual Basic .NET 2002 Standard Edition
  • Microsoft SQL Server 2000 标准版
  • Microsoft SQL Server 7.0 Standard Edition
Keywords: 
kbproductlink kbconfig kbhowtomaster kbsecurity kbweb KB308157
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support