Authentication is the process of obtaining identification credentials from a user such as name and password , and validating those credentials against some authority.
Authorization determines whether an identity should be granted access to a specific resource.
Authentication is enabled by setting the attributes of < authenticationelement &rt of web.config file
We have 3 different kinds of authentications
Forms Authentication
Windows Authentication
Passport Authentication
Forms Authentication
Forms authentication uses login page to gather the username and Password and validate them against the data store to allow only authorized users to the application.
To Enable forms authentication ,follow the steps as mentioned.
1.Set mode attribute of <authentication> element to forms.
2.Add the child element <Forms > to the <authentication> element.set the attribute of child element
<forms name=".MySampleProject"
loginUrl="Login.aspx"
protection="All"
timeout="30"
path="/">
</forms>
The second step is to add a
name
Defines the name of the HTTP cookie used by ASP.NET to maintain the user authentication information. Care should be taken when naming the cookie. If two applications on the same server use the same cookie name, "cross authentication" could occur.
loginUrl
Defines the page to which ASP.NET will redirect users when they attempt to access pages in your application without being logged in. The login page should provide the fields required to authenticate the user, typically a login ID and password or whatever else your application requires.
protection
Defines the protection method used for the cookie. Possible values are All, None, Encryption, and Validation. Validation specifies that the cookie data will be validated to ensure it was not altered in transit. Encryption specifies that the cookie is encrypted. All specifies that data validation and encryption will be used. None specifies no protection will be provided for the cookie information. The default is All and is highly recommended because it offers the highest level of protection for this authentication cookie.
timeout
Defines the amount of time in minutes before the cookie expires. The value provided here should be at least as long at the timeout for the session. Making the value shorter than the session timeout can result in a user being redirected to the page defined by the loginUrl before the session times out.
path
Defines the path of cookies issued by the application. Be aware that most browsers treat the path as case-sensitive and will not return the cookie for a request that does not match the value provided for the path attribute. The result will be having the users redirected as if they were not logged in. Unless your application requires specifying the path leave the path as "/".
Add <deny> and
<allow> child elements to the
<authorization> element to deny access to
anonymous users and allow access to all who have been authenticated:
<authorization>
<deny users="?" /> <!-- Deny anonymous users -->
<allow users="*" /> <!-- Allow all authenticated users -->
</authorization>
In the .aspx file for the login page:
1. Add the fields required to collect the data the application needs to authenticate the user. Most applications require, at a minimum, a user login ID and password, but you can specify whatever your application requires.
2. Add a Login button.
3. (Optional) Include a checkbox for users to indicate that they want to be remembered between sessions. (You will need to add some code to the code-behind class to persist the authentication cookie on the client machine.)
In the code-behind class for the login page, use the .NET language of your choice to:
1. Use the Login button click event to verify the user credentials.
2. If the user credentials are valid, create a Forms authentication cookie and add it to the cookie collection returned to the browser by calling the SetAuthCookie method of the FormsAuthentication class.
FormsAuthentication.SetAuthCookie(“Usernamee”)
Response.redirect(“Requested Page”)
3. (Optional) Set the Forms authentication cookie to be persisted on the client machine.
4. Redirect the user to the appropriate application start page using Response.Redirect.
When application is configured to use Forms authentication, ASP.NET looks for the cookie defined by the name attribute of the < forms > element in web.config for every page requested from your application. If the cookie does not exist, ASP.NET assumes the user is not logged in and redirects the user to the page defined by the loginUrl attribute. If the cookie does exist, ASP.NET assumes the user is authenticated and passes the request on to the requesting page. In addition, when the cookie exists, ASP.NET creates a user principal object with the information found in the authentication cookie. The user principal object represents the security context under which code is running. This information is available to your application by accessing the User object in the current context
If we need to restrict access to selected pages of the application, we need to add < location > element to the configuration level for each application page to specify whether it is available to the public or only to authenticated users
Here we need to modify allow and deny elements of authorization for each page as we needed.
Let us consider “HomePage.aspx” –Pubilc access page
“CustomerPage.aspx” –Only to customers
<location path="HomePage.aspx">
<system.web>
<authorization>
<allow users="*"/>
//allow all users
</authorization>
</system.web>
</location>
<location path="customerPage.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
//allow all authenticated users.
</authorization>
</system.web>
</location>
If we need to restrict acess by roles
<allow roles="User,Admin"/>
<deny users="*"/>
It is important to include the <deny users="*"/> element for all pages after the list of roles allowed to access the page. This informs ASP.NET that if the user is not assigned one of the previously listed roles, they should be denied access to the page.
.jpg)
Posts
No comments:
Post a Comment