User Profiles, Authentication, Authorization
Profile Properties
ASP.NET has inbuilt functionality for storing user specific settings to a SQL database using the SqlProfileProvider class without having to design a database schema or build database access code. It is also strongly typed.
User Profiles
profile
providers
add name="AspNetSqlProfileProvider" connectionStringName="MyConnStr" applicationName="/"
type="System.Web.Profile.SqlProfileProvider, System.Web, Version 2.0.0.0, Culture=neutral, PublicKeyToken=b03f5ff11d4095d"
[anonymousIdentification enable="true"]
configuration
system.web
profile
properties
add name="Name" [allowAnonymous="true"]
add name="LastVisit" type="System.DateTime" [allowAnonymous="true"]
add name="Position" type="MyNamespace.OrgPosition" serializeAs="Binary"
group name="Address"
add name="Street"
add name="City"
add name="PostalCode"
aspnet_regsql.exe -E -S localhost -Ap
Migrating Anonymous User Profiles
Handle the MigrateAnonymous event when the user authenticates
public void Profile_OnMigrateAnonymous(object sender, ProfileMigrateEventArgs args) {
ProfileCommon anonymousProfile Profile.GetProfile(args.AnonymousID);
Profile.Name = anonymousProfile.Name;
Profile.Save();
ProfileManager.DeleteProfile(args.AnonymousID);
AnonymousIdentificationModule.ClearAnonymousIdentifier();
}
ASP.NET Membership
Web Site Administration Tool (WSAT) can be used to create users and roles, or directly in the web.config
configuration
system.web
authentication mode="Forms"
forms loginUrl="Login.aspx"
roleManager enabled="true"
authorization
deny users="?" //only authenticated users allowed.
location path="Protected"
system.web
authorization
allow roles="Administrators"
forms Cookieless=
| UseCookies | Always attempts to use cookies regardless. |
|---|
| UseUri | Always stored authentication token as part of URL. |
|---|
| AutoDetect | ASP.NET tests whether browser actually does support cookies if it indicates it does, if it doesn't or if it indicates it doesn't asp.net uses cookieless authentication. |
|---|
| UseDeviceProfile | Default. Uses cookies if the browser agent is a type that supports cookies, won't work if user has turned them off. |
|---|
Login Controls
| CreateUserWizard | Gathers information about a new user and creates a new user account. |
|---|
| Login | Prompts for username and password (if using custom authentication code, handle Authenticate event) |
|---|
| LoginView | Display information for logged in users. |
|---|
| LoginStatus | Allow link to login page if user not authenticated. |
|---|
| LoginName | Display logged in user's name. |
|---|
| PasswordRecovery | Password retrieval or reset for user. |
|---|
| ChangePassword | Controls to change password. |
|---|
Membership Class
Membership.CreateUser()
Membership.DeleteUser()
Membership.FindUsersByEmail()
Membership.FindUsersByName()
Membership.GeneratePassword()
Membership.GetAllUsers()
Membership.GetNumberOfUsersOnline()
Membership.GetUser()
Membership.GetUserNameByEmail()
Membership.UpdateUser() //if admin page to modify users.
Membership.ValidateUser() //Use this ic creating own custom login controls.
Roles Class
Roles.AddUserToRole, AddUsersToRole, AddUsersToRoles()
Roles.CreateRole()
Roles.DeleteRole()
Roles.FindUsersInRole()
Roles.GetAllRoles()
Roles.GetRolesForUser()
Roles.IsUserInRole()
Roles.GetUser()
Roles.RemoveUserFromRole()
Authentication
Windows Authentication
Uncheck Anonymous authentication in the IIS virtual directory and select Integrated Windows Authentication.
As an additional best practice step, set authentication mode="Windows" in the web.config.
Impersonation
<identity impersonate="true"/> //If authenticated, IIS impersonates the users account for file and db access. Uses the anonymous user account configured in IIS if not authenticated. If impersonation not enabled, the IIS worker process is the account that is used.
<identity impersonate="true" userName="DOMAIN\username" password="password"/> //to force all impersonation to a particular account.
Forms Authentication
if (FormsAuthentication.Authenticate(username.Text, password.Text) //Or custom call to database user table
{
FormsAuthentication.RedirectFromLoginPage(usernameTextBox.Text, false); //boolean to indicate whether cookie kept alive after browser is closed.
}