LAB #8 – ASP.NET Security

profileSuperClass
 (Not rated)
 (Not rated)
Chat

LAB #8 – ASP.NET Security

 

Student: ______________________

 

Due Date:        Apr. 9th, 2014

 

Purpose:          The purpose of this Lab assignment is to:

·         Practice the use of Forms-Based authentication

References:   

·         Textbook.

·         Lecture notes

 

This assignment may be completed individually by all the students. Submit the solution in a zip file using assignment link on blackboard. The file must be named according to the following rule:

 

yourlastname_CEIL865Labnumber. Your project should also use the same name.

Example: smith_CEIL865Lab8

If there are two exercises, add to the file name: _Ex1 or _Ex2.

Example: smith_CEIL865Lab8_Ex1

 

Exercise #1

 

 

In this exercise, you’ll implement a simple Forms-based authentication.

 

Create a new ASP.NET application.

 

Configuring the application for forms authentication

 

If the application has a Web.config file in the application root, open it.

 

If the application does not already have a Web.config file in the application root folder, create one.

 

Add the following elements to it within <system.web> area:

 

<authenticationmode="Forms">

      <formsloginUrl="Logon.aspx"name=".ASPXFORMSAUTH">

       

        <credentialspasswordFormat="Clear">

          <username="[email protected]"password="ceil865"/>

        </credentials>

      </forms>

     

       

</authentication>

       

<authorization>

      <denyusers="?"/>

</authorization>

 

Save the Web.config file and close it.

 

Creating the Logon Page

 

When users request any page from the Web site and if they have not previously been authenticated, they are redirected to a page named Logon.aspx. You specified this file name earlier in the Web.config file.

 

The Logon.aspx page collects user credentials (e-mail address and password) and authenticates them. If the user is successfully authenticated, the logon page redirects the user to the page they originally requested. In the example, the valid credentials are hard-coded into the page code.

 

Create an ASP.NET page named Logon.aspx in your project.

Add the following web controls as shown in the picture:

Four label controls, two text box controls, one check box control, two requiredfieldvalidator controls, two button controls.

 

Set the text property of the label controls as shown in the picture. Name the text boxes UserMail and UserPass. Set the ControlToValidate property for validator controls respectively to UserMail and UserPass. Name the check box control Persist.

 

Name button controls respectively BtnLogon, BtnLogonWebConfig. Name the fourth label Message.

 

Here is the code behind for Logon.aspx page:

 

 

public partial class Logon : System.Web.UI.Page

{

    protected void Page_Load(object sender, EventArgs e)

    {

 

    }

    protected void BtnLogon_Click(object sender, EventArgs e)

    {

        if ((UserEmail.Text == "[email protected]") && (UserPass.Text == "ceil865"))

            FormsAuthentication.RedirectFromLoginPage(UserEmail.Text, Persist.Checked);

        else

            Msg.Text = "Invalid credentials. Please try again.";

     

 

    }

    protected void BtnLogonWebConfig_Click(object sender, EventArgs e)

    {

        //Authenticating against values in Web.config

        if( FormsAuthentication.Authenticate(UserEmail.Text, UserPass.Text) )

            FormsAuthentication.RedirectFromLoginPage(UserEmail.Text, Persist.Checked);

        else

            Msg.Text = "Invalid credentials. Please try again.";

       

 

 

    }

}

 

The page contains ASP.NET server controls that collect user information and a check box that users can click to make their login credentials persistent. The Log On button's Click handler contains code that checks the user's e-mail address and password against hard-coded values. (The password is a strong password that contains various non-alphabetic characters and is at least eight characters long.) If the user's credentials are correct, the code calls the FormsAuthentication class's RedirectFromLoginPage method, passing the user's name and a Boolean value (derived from the check box) indicating whether to persist an authentication ticket as a cookie. The method redirects the user to the page originally requested. If the user's credentials do not match, an error message is displayed. Note that the page imports the System.Web.Security namespace, which contains the FormsAuthentication class.

 

Creating the Default Page

 

Because you specified in the configuration file that all unauthenticated users are denied access to the application's ASP.NET resources (which includes .aspx files, but not static files such as HTML files or multi-media files including images, music, and so on), when a user requests the page, forms authentication will check the user's credentials and redirect the user to the logon page if necessary. The page you create will also allow users to log out, which clears their persisted authentication ticket (cookie).

 

If you don’t have a default page, add a new web form and name it Default.aspx. Add a label control and a button control to the form as shown in the picture below:

 

 

Name the label Welcome and the button Sign_Out.

 

Here is the code behind the page:

 

 

public partial class _Default : System.Web.UI.Page

{

    protected void Page_Load(object sender, EventArgs e)

    {

        Welcome.Text = "Hello, " + Context.User.Identity.Name;

    }

    protected void Sign_Out_Click(object sender, EventArgs e)

    {

        //removes the forms authentication cookie

        FormsAuthentication.SignOut();

 

        //Redirects the browser to the login URL. Clears the cookie

        FormsAuthentication.RedirectToLoginPage();

    }

}

 

The page displays the user's authenticated identity, which was set by the FormsAuthentication class and is available in an ASP.NET page as the Context.User.Identity.Name property. The Sign Out button's Click handler contains code that calls the SignOut method to clear the user identity and remove the authentication ticket (cookie). It then redirects the user to the logon page:

 

 

References:

 

 

MSDN documentation

    • 8 years ago