Tuesday, 5 August 2014

Form Authentication in Asp.net with C#

http://www.msdotnet.co.in/2014/02/how-to-implement-form-based.html#.U-G2d_mSyXU


Form based authentication class resides within "System.web.security"Namespace .  There are two technique which  used to  authenticate the user manually by following ways.
  1. By the hard code value
  2. By the web.config file
     1.) By the hard code value:- In this user can verify (authenticate) the web form (login.aspx) by specifying the user name and password from hard code value.
    2.) By web.config file:-In this user can authenticate (verify ) the web form    (login.aspx page) by specifying the user name and password from web.config file.

Note:- We can authenticate the user name and password from database also.
Where we can use this Authentication:-
Suppose you have limited employee in your organization(ex.200 employee).if you want to host your  asp.net website on server to provide the relevant information to your employee. if you want ,only company 's member can access the asp.net website then you will have to generate user name and password manually and save in web.config file or in hard code values.If you want  to share secure information on your asp.net website so that only company's members can access them,then you will have to provide user name and password to each employee which you have mentioned in web.config file or hard code values.If any employee want to see the information send by the manager of company then they will have to verify your user name and password which is provide by the organization(manager). When any employee open the website then login page (login.aspx)  will be opened first, after authenticate the login page with user name and password employee will be redirected to home page (main page) of the website.After access the application you have to Logout .Other wise any anonymous user can login as your name with the help of browser cookie(persistence or Non persistence) data.It can be more harmful for an organization(company). 
There are some attribute and element which we can  use in web.config file (under authentication and authorization section).

  1. name:-It is a optional attribute.It specifies the HTTP Cookie to use for authentication.If you are running multiple application on server then you will be required a unique cookie name in each web.config file for each application. ASPXAUTH is a default name where cookie data is stored.
  2. loginUrl :- It is a optional attribute that specifies the URL to which the request is redirected for logon.In this application ,i have set login.aspx page for logon. If no valid cookie  is found for authentication then it will automatically redirected to login.aspx page.
  3. defaultUrl :- It is a optional attribute .It defines the default URL that is used for redirection after authentication.I have already set defaultUrl = "home.aspx" in my application.
  4. Protection:- It specifies the type of encryption if any to use for cookie.This option usages the configuration data validation algorithm such as DES and Triple DES If it is available.
  5. Path:- It specifies the path cookies that are used by the application.Most of  Browsers at this time are case sensitive.If there is a path case mismatch then it don't  send cookies back to the application. 
  6. requiredSSL :- It specifies whether an SSL connection is required  to transmit  the authentication cookie.In my application ,i have used requiredSSL ="false".
  7. Timeout:- It is a time in minute after which the cookie of browser will be expired.By default it is 30 minute.
  8. slidingExpiration:- It specifies whether sliding Expiration is enabled,sliding Expiration resets the active authentication time for a cookie to expire on each request during single session.
  9. credentials:- It allow user name and password credentials within configuration file.We can easily create custom user name and password scheme to use an  external source for authentication of web page like database.
  10. Authentication:- It is a parent element of web.config file.It is used to identify the users who view an asp.net application.
There are some steps to implement this concepts on asp.net application.
Step 1:- First open your visual studio-->File -->New -->Website-->Select asp.net Empty website -->OK-->Open solution Explorer -->Add a Web Form (login.aspx)-->Drag and drop Label ,Text Box and Button control from the tool Box as shown below:-

logon form

Step 2:- Now add another web form  (home.aspx) in your project-->Drag and drop Button and Label control as shown below:-


home_form

Step 3:- Now open web.config file -->writes the following codes as given below:-
01<configuration>
02 <system.web>
03       <authentication mode="Forms">
04        <forms  name=".ASPXAUTH"
05          loginUrl="login.aspx"
06          defaultUrl="home.aspx" 
07          protection="All"
08          path="/"
09          requireSSL="false"
10          timeout="20"
11          slidingExpiration="true ">  
12          <credentials passwordFormat="Clear">
13            <!--<credentials passwordFormat="SHA1">-->
14            <!--<credentials passwordFormat="MD5">-->
15            <user name="ram" password="ram123"/>
16            <user name="shayam" password="shayam123"/>
17            <user name="neha" password="neha123"/>
18          </credentials>
19          </forms> 
20      </authentication>
21      <authorization>
22        <deny users="?"/>
23        <allow users="*"/>
24      </authorization>
25      <compilation debug="true"/>
26  </system.web>
27</configuration>
Note:- Here, i have created some user name and password manually in web.config file.Only these users can be able to authenticate the login.aspx page.
Step 4:- Open login.aspx page --> Write the following c# codes for each button codes(login.aspx.cs ) as given below:-

01using System;
02using System.Web;
03using System.Web.UI;
04using System.Web.UI.WebControls;
05using System.Web.Security;
06 
07public partial class login : System.Web.UI.Page
08{
09    protected void Page_Load(object sender, EventArgs e)
10    {
11        Session["id"] = TextBox1.Text;
12    }
13     
14    protected void Button1_Click(object sender, EventArgs e)
15    {
16        bool validformlogin = false;
17        validformlogin = Authenticate_user(TextBox1.Text.Trim(), TextBox2.Text.Trim());
18 
19        if (validformlogin)
20        {
21            FormsAuthentication.RedirectFromLoginPage(TextBox1.Text.Trim(), false);
22        }
23        else
24        {
25            Response.Write("invalid login ..try again");
26        }
27    }
28 
29    private bool Authenticate_user(string user_name, string password)
30    {
31        if (user_name == "admin" && password == "admin123")
32        {
33            return true;
34        }
35        else if(user_name == "neha" && password == "neha123")
36            {
37            return true;
38            }
39        else if (user_name == "sanjay" && password == "sanjay123")
40        {
41            return true;
42        }
43        else
44        {
45            return false;
46        }
47 
48    }
49 
50    protected void Button2_Click1(object sender, EventArgs e)
51    {
52        if (FormsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text))
53        {
54            FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, false);
55        }
56        else
57        {
58            Response.Write("invalid user ...try again");
59        }
60    }
61}

Description:- In button 1 and button 2 clicks,i have written a common function which is given below:-
  • RedirectLoginPage Function:-> This function takes two parameter, one is for user name for whom cookie is created and second one is Boolean value to specify whether cookie is persistence or Non Persistence. This function checks the URL of login page,if it return the URL specify in web.config then user will be redirected to that web page and it checks web.config file for defaultUrl .It specify, user is redired to that web page but it not specify,user will be redirected to defaultUrl page. 
  • Password Format Attribute:-> This attribute is used in format ,in which, password value is given in web.config file.If this attribute  value is clear ,it means  password value is store in plane text format.If this attribute  value is  in MD5 or SHA1 ,it means Password is stored in encrypted form By using MD5 or SHA1 . To set the encrypted values of some plane text we can call "HashPasswordForStoringIn ConfigFile" class.it  takes two parameter
              1.) value for the text which we want to encrypt
              2.) Value for name of algorithm 
Example:- If you are using password format MD5 or SH1 then you can use below c# codes:-
1protected void Page_Load(object sender, EventArgs e)
2    {
3 Response.Write(FormsAuthentication.HashPasswordForStoringInConfigFile("filename","SHA1"));
4    }
  • If there are some resources which have to access by all the users then we can specify that tag by usinglocation tag in web.config file.I have already used location tag in windows authentication tutorials.
Note:- Here, Codes on first button click ,we can authenticate only those user which satisfied the if and else ifconditions.
Step 5:- Now open home.aspx page -->write the c# codes in home.aspx.cs file as given below:-
01using System;
02using System.Web;
03using System.Web.UI;
04using System.Web.UI.WebControls;
05 
06public partial class home : System.Web.UI.Page
07{
08    protected void Page_Load(object sender, EventArgs e)
09    {
10        try
11        {
12            Label1.Text = Session["id"].ToString();
13        }
14        catch
15        {
16            Response.Redirect("login.aspx");
17        }
18        
19    }
20    protected void Button1_Click(object sender, EventArgs e)
21    {
22        Session.RemoveAll();
23        Response.Redirect("login.aspx");
24    }
25}

Step 6:- Now Run the application (press F5)--> Filled the required field values (user name and password) for hard code value authentication-->press Login through hard code button.


login_output

Step 7:- Now Run the application again --> Verify (authenticate) the web page(login.aspx ) by user name and password fields from web.config file as shown below:-


output

Step 8:- If you don't enter correct details (user name or password ) which specify in hard code or web.config file the it will give following error as shown below:


error _page

Step 9:- If you save the password in browser cookie -->then you can login without user name and password.But it is harmful ,if any other user access your computer.-->so press Logout Button before exit the application.

Note:- In coming tutorial will put full security features in existing login control Using Administrative Tool property of  visual studio 2010.