Issue dated - 4th August 2003

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
STOCK FILE
INDIA TRENDS
NEWS ANALYSIS
OPINION
INDIA COMPUTES!
E-BUSINESS
COMPANY WATCH
TECHNOLOGY
TECHSPACE
BOOK REVIEWS
EVENTS
PRODUCTS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > TechSpace > Story Print this Page|  Email this page

Form Authentication

The C# Column - Yashawant Kanetkar

ASP.NET incorporates a feature called ‘form authentication’. Form authentication involves asking the user his credentials and authenticating him to access the Web pages if his credentials are okay. Form authentication has greatly reduced the quantum of code that checks whether the user has logged in or not, if he has not then redirect him to the login page, and if the login is successful, redirect him to the page he has requested.

All this is managed by making entries in the ‘Web.config’ file where we can specify the login page and the pages that are protected. The first time the user tries to access the protected pages ASP.NET asks him to login. If the login is successful, ASP.NET grants him an authentication ticket in the form of a cookie and then allows the user to the access the protected page. If the user requests the page again and again this cookie allows him to access the pages without having to log in.

Let us now implement form authentication in a program. Our program will have a default page, a login page and a protected page that is displayed only if the login succeeds.

First of all, to create the forms create an ASP.NET Web application. Rename the Web form to ‘public.aspx’. Also change the CodeBehind tag to ‘public.aspx.cs’. We will keep the public page simple. It will contain only a ‘View Page’ button, which on clicking would open the protected page. But before opening the page it would ask the client for a username and password.

Add two more Web forms to the application, namely ‘protected.aspx’ and ‘login.aspx’. Add a label on the protected page that would display a message on it. Add two text boxes and a ‘Login’ button to the login page. The text boxes would accept a user name and password from the user. On clicking the ‘Login’ button the credentials of the client would be checked and the client would be redirected to the protected page.

Add the Click event handler for the ‘View Page’ button in the ‘public.aspx’ file. Add the following statement to the handler:

Response.Redirect ( "Secured/Protected.aspx" ) ;

The Redirect( ) method redirects the client to the new URL specified in it.

Open the ‘Web.config’ file that gets created in the application folder. Add the statements to the <authentication> section, such that the <authentication> section looks like this:

<configuration>
...
<system.web>
<authentication mode="Forms" >
<forms loginUrl = "login.aspx">
<credentials passwordFormat="Clear">
<user name="ypk" password="kicit" />
</credentials>
</forms>
</authentication>
<system.web />
...
<configuration />

The <authentication mode="Forms"> indicates that the authentication mode for this website is ‘Forms’. This means that if there is no authentication cookie in the request header, the request has to be redirected to the login page. If the cookie is found, access to the requested page is granted. The <forms> section contains the login URL from where an identification cookie has been placed. The next statement indicates configuration for the password. The following list specifies the correct username and password. We can specify multiple username-password entries.

Now add the Click event handler for the ‘Login’ button. Add the following code to it:

if ( FormsAuthentication.Authenticate ( uid.Text,
pwd.Text ) )
FormsAuthentication.RedirectFromLoginPage
( uid.Text, false ) ;

The Authenticate( ) method would return true if the username and password match one specified in the ‘Web.config’ file. If it does then the client would be directed to the ‘protected.aspx’ page. The FormsAuthentication class is a member of the System.Web.Security namespace. So we must declare it at the beginning of the program.

Create a ‘Secured’ virtual directory inside the application folder. Copy ‘protected.aspx’ and ‘Web.config’ files to this folder. Open the ‘Secured/Web.config’ file and add the <authorization> section to it. The contents of the ‘Web.config’ file are given below:

<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>

In the <authorization> section we have indicated that every anonymous user has to be denied access to the page.

Run the application. The default page gets displayed, as shown in the following snap shot.

Click the ‘View Page’ button. It will take you to the login page as shown below.

Enter the username as ‘ypk’ and password as ‘kicit’. Click the ‘Login’ button. The protected page gets displayed. Now request the default page again and click the ‘View Page’ button. This time the protected page gets displayed directly without asking for the username and password.

Yashavant Kanetkar, one of the first Express Computer columnists, is an established software expert, speaker and author with several best-sellers to his credit, including titles like “Let Us C” and the “Fundas” series. Contact him at kanet@nagpur.dot.net.in
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.