Jump to content

Security in ASP.NET


Recommended Posts

As a matter of fact, there is!I have struggled with Session variables for a long time. They are always timing out whne they shouldn't!I came across Forms Authentication. It stores the user info in an encrypted cookie which will only expire when you say so!It took me a while to get it to work and it was a bit frustrating at first but now that it is up and running it is great.web.config

      <authentication mode="Forms">        <forms name=".ASPXUSERDEMO" loginUrl="/login.aspx" protection="All" timeout="60">  <credentials passwordFormat="Clear" >          <user name="username" password="password"/>  </credentials>	</forms>      </authentication>  </system.web><location path="folder to protect"> <!--use / for all-->     <system.web>       <customErrors mode="Off"/>              <authorization>            <deny users="?" />        </authorization>    </system.web></location>


<%@ Page Language="C#" Debug="true" %><%@ Import Namespace="System" %><%@ Import Namespace="System.Security" %><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head> <title>Page Title</title> <link rel="stylesheet" href="style.css" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /></head><body><script language="C#" runat="server">	//--------------------------------------	//Page Load	//--------------------------------------	private void Page_Load()	{  if(IsPostBack)  { 	   }	}	//--------------------------------------	//Authenticate User	//--------------------------------------	private void AuthenticateUser(string User, string Ticket)	{  if (FormsAuthentication.Authenticate(User, Ticket))   {         FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(            	 1,             User,            	 DateTime.Now,            	 DateTime.Now.AddHours(3),            	 false,            	 "admin");          string encryptedTicket = FormsAuthentication.Encrypt(ticket);         HttpCookie authenticationCookie = new        HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);          Response.Cookies.Add(authenticationCookie);          Response.Redirect(FormsAuthentication.GetRedirectUrl(User, false));   FormsAuthentication.RedirectFromLoginPage(User,false);  }   else  { 	 Response.Write("Error");  }	}	//--------------------------------------	//Login Button Click	//--------------------------------------	private void LoginButton_Click(object sender, System.EventArgs e)	{AuthenticateUser(Username.Value, Password.Value);	}</script>	<form runat="server">	<div style="padding:15px;height:1px">	<table cellpadding="0" cellspacing="0">   <tr>     <td>Username:</td>     <td><input type="text" id="Username" runat="server" class="InputField" /></td>   </tr>   <tr>     <td>Password:</td>     <td><input type="password" id="Password" runat="server" class="InputField" /></td>   </tr>   <tr>     <td colspan="2">  <input type="button" value="Login" id="LoginButton" runat="server" class="InputButton" OnServerClick="LoginButton_Click" />     </td>   </tr>	</table>	<div id="PostBack" runat="server" class="PostBack" />	</form>	</div></body></html>

That is a sample of my site and how I got it to work. This works for any files in the folder specified in the web.config. No more doing checks on every page manually! :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...