In a previous tutorial we simply used the Session Object to create a simple password protected ASP.NET login similar to the way we way we could create a password protected login with Classic ASP. ASP.NET offers us another option, namely Forms Authentication.
In simple terms when a user enters a correct username and password a cookie is created and stored on their computer that identifies them as authenticated. As an authenticated user you can allow or deny them access to protected folders and pages.
When working with Forms Authentication we need to:
1. Enable Forms Authentication in the Web.Config file
2. Create a Login Page
3. Verify the user
4. Grant them authorisation to view folders and pages
With Forms Authentication we can store usernames and passwords in the login code itself, the web.config file, a database, or an XML file.
Our first example below stores the username and password in the code in the file 'login.aspx'. The page displays a textbox control for both the username and password. When the asp button 'LoginButton' is clicked the click event is raised and the event handler 'Login' is called. This subroutine checks the text property of the Username and Password textbox controls to see if they match 'myAdmin' and 'myPassword' respectively.
If the username and password match then the FormsAuthenication.RedirectFromLoginPage method is called and passed 2 parameters. The first is the user name to be stored for the user, the second parameter is a Boolean value. Setting this to true creates a persistent cookie that allows the user to close their browser, come back to the site and be still logged in. Setting this value to false forces users to log in each time they close down their browser and revisit the site.
If a user has requested a page and not been able to get access to that page, then the RedirectFromLoginPage method will redirect the user back to the original protected page they requested.
In our example if the username and password don't match then a literal control 'LtlLogin' displays an invalid login message.
login.aspx
<%@ Page Language="VB" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
Public Sub Login(ByVal s As Object, ByVal e As EventArgs)
If UserName.Text = "myAdmin" And Password.Text = "myPassword" Then
FormsAuthentication.RedirectFromLoginPage(UserName.Text, True)
Else
LtlLogin.Text = "<p>Sorry you have provided incorrect login details.</p>"
End If
End Sub
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Admin Log In</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<h1>Admin Log In</h1>
Username:<br />
<asp:TextBox ID="UserName" Runat="server" /><br />
Password:<br />
<asp:TextBox ID="Password" TextMode="password" Runat="server" /><br />
<asp:Button ID="LoginButton" Text="Log In" OnClick="LogIn" Runat="server" /><br />
<asp:Literal ID="LtlLogin" Runat="server" />
</div>
</form>
</body>
</html>
The following Web.config enables Forms Authentication. The Web.config file restricts access to all the files in our site, though obviously the login.aspx will be accessible. Notice the <authorization> element and the question mark ? in the line <deny users="?" />. This instructs our website to deny access for all anonymous users, and grant authorization to only those that have logged in and been authenticated. In the code above only those that have entered the username 'myAdmin' and the password 'myPassword' will be allowed access.
Web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
To test the code above create these 2 files and place them in the top level folder (the root) of your website. You'll also need to create a default.aspx file. You'll not be able to access the default.aspx without logging in. When you log in successfully default.aspx will be the default page that you are redirected to.
It's important to note that the default login page is 'Login.aspx' and the default page after a successful log in is unsurprisingly 'Default.aspx'.
If you wanted to change the default LoginUrl and the default homepage, you can add the following highlighted line in the Web.config file.
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login2.aspx" defaultUrl="default2.aspx" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Our second example below is slightly different from our first. Our first example stored the username and password in the login file. With our second example we store a list of users and passwords in the Web.config file and authenticate the user against these. In our Web.Config file we could specify a username and password within the credentials element.
Web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms>
<credentials passwordFormat="Clear">
<user name="admin" password="password" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
In our login code below we can then use the Authenticate method (highlighted below) of the FormsAuthentication class to check the username and password against the user details stored in the Web.config file.
login.aspx
<%@ Page Language="VB" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
Public Sub Login(ByVal s As Object, ByVal e As EventArgs)
If FormsAuthentication.Authenticate(UserName.Text, Password.Text) Then
FormsAuthentication.RedirectFromLoginPage(UserName.Text, True)
Else
LtlLogin.Text = "<p>Sorry you have provided incorrect login details.</p>"
End If
End Sub
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Admin Log In</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<h1>Admin Log In</h1>
Username:<br />
<asp:TextBox ID="UserName" RunAt="server" /><br />
Password:<br />
<asp:TextBox ID="Password" TextMode="password" Runat="server" /><br />
<asp:Button ID="LoginButton" Text="Log In" OnClick="LogIn" Runat="server" /><br />
<asp:Literal ID="LtlLogin" Runat="server" />
</div>
</form>
</body>
</html>
If the user enters the correct login details then the RedirectFromLoginPage method will create the authentication cookie and the user will be able to view the website pages.
Learn how to protect folders with Forms Authentication
Get the best asp web hosting provider now and save 30%
Plug and play ASP membership script that integrates with PayPal to let you charge recurring membership fees.
