I need to use custom authorization mechanism. Its very simple, uses database in which something like session is stored and checked if its active according to cookies. Nothing special. What is the best way to control permission to each side. Of course I can check in load event on each site if user is logged in but is there any other way?
The built-in mechanism is ASP .NET Membership, which should fit basic needs out of the box. (If it does not you should try explaining why you cannot use it - there may be a solution).
Related
I have an ASP .NET application which has a number of aspx pages. These pages were not having any login or session management features and any user could directly type the url and visit any page.
Now I want to add state management feature to all the pages. I created a new signup and a basic login page which accepts username and password and has necessary database for it. It is fine to use any server or client state management features, but how can I implement it with very minimum code changes.
One straight forward solution here is to implement session variable in server side to store logged in user details and check for it in the Page_Load event handler of each and every page. But here, code change has to be made in all the pages and I don't want that as there are so many pages. Any easier way will help.
Any ideas please??
Well, first of all it was good that you haven't implemented authentication in Page_Load on every page. Whenever approach you think of requires that you copy-paste code in multiple places - you are doing something wrong.
That being said, you will probably need to create base class for your Pages and by doing that you could have authentication restricted to one spot / class.
However, it would be better if you combine that with what ASP.NET framework offers. From stuff you are talking about it seems you are using ASP.NET Forms - here is article that should provide you with fine overview on everything you need to do:
How to modify web.config to use Forms authentication
Login and Logout user (create authentication cookie)
Necessary code for authenticating requests that needs to be added to Global.asx
Restricting access to pages by entering appropriate values in web.config (although better approach would be with base class I mentioned)
Role-based Security with Forms Authentication
What if I am creating an intranet web application using MVC and in the administration's access panel I need to provide a way for users to login either via AD accounts or simple windows forms login-password combination.
The only way I see to accomplish that is to somehow switch on-the-fly the web-config file, allowing or disallowing the anonymous login and hence either or not to check inferred windows account name.
Two questions actually here: is there any more right way of doint it, and if not, what is the best way to change web.config file on-the-fly and is it really appropriate for accomplishing my goal?
The only way I see to accomplish that is to somehow switch on-the-fly the web-config file
Oh no, you are really very far from the truth.
Your scenario is actually very common. You could externalize the authentication to a separate service using WIF (Windows Identity Foundation). Here are some introductory slides. The idea is to federate authentication through a single sign on provider. And here's a similar question to yours.
I'm new to C# and ASP.NET (not MVC) and trying to code a web site.
Here is the question:
Which is the best approach for Login, Authorization and Session management? I'm not asking for how to use built-in membership classes or another ready-to-use solutions. I'm merely asking for a manual approach or methodology.
After a member writes User Name and Password and clicks submit button; which do you think is the best solution to keep user logged while he\she browses pages, clicks buttons or somehow interacts with the web site
E.g is it a good method to use Session and write the User Name, Id etc. to session and read the session in every page request to check if there's any member information; if so, set the page layouts according to member's preferences?
Or creating an object in login, setting it's properties according to logged in user and using same object for entire session and destroying it with logging out?
Thx
I suggest that the best approach is to use a pre-exisitng solution that has proven realiable.
For authentication, use a MemberShipProvider. If you don't want to use for instance the SqlMembershipProvider, feel free to implement your own by deriving from System.Web.Security.MembershipProvider. Then register you custom provider in the web.config file of your application.
To get started, just search the web for "build a custom membership provider" and you will find lots of tutorials.
For authorization, use the possibilities provided by the <authorization>...</authorization> section in web.config. Make sure to learn about the possibility of placing additional web.config files in sub folders of your application.
If you need role based authorization, use a RoleProvider. Related web search: "build a custom role provider".
If you want to allow your users to store preferences, use a ProfileProvider.
In short, resist the temptation of reinventing the wheel...
As of right now, I have the user register/log in and then if successful, redirect them to the homepage. However, this is extremely artificial as the user can simply type the url and go to any page they want. I'm fairly new to this and I've heard forms authentication mentioned multiple times as a way to do what I need: a simple means to prevent a user from accessing any page and once they haven't done a "Request" in awhile, I want them to be "logged out" and sent back to the log in page. I guess, in the end, I have three questions:
1) Can someone provide me a link to a great tutorial on authentication? I don't want to get too far in depth if I can avoid it.
2) Also, is it recommended to use cookies for this or not? I've heard different views on this?
3) I was told I can set this up in the web.config as well as in code behind? Is this true? If so, which do you recommend?
Thank you very much and I apologize for the broad question(s). If you need any more information, please let me know.
Here is Walkthrough: Creating a Website with Membership and User Logon that you can use.
As far as using cookies is concerned, they can be exploited. To be safe, its best not to put anything of value in them. If you have to, then you should secure them (another topic all together). In the scope of your question, know that ASP.NET encodes and hashes its authorization ticket so you are ok using the default cookie settings. More info on the Web.config form element attributes here.
Forms Authentication is setup in the Web.config file. You can set the slidingExpiration attribute to log a user out if they haven't made a request with in the time set in the attribute.
Take a look at this MSDN tutorial:
http://msdn.microsoft.com/en-us/library/ie/xdt4thhy.aspx
You can use the builtin asp.net sql membershiprovider and login controls for register and login this is implemented in the default web application project.
Then you can check the value of Request.IsAuthenticated in page load and redirect to login page with Response.Redirect(loginPageUrl)
1) http://www.asp.net/web-forms/overview/security good place to start.
2) If you are using the ASP.NET builtin authentication in most scenarios you dont have to worry about cookies. IMO nothing wrong with cookies :)
3) Usually you have to set this up in both. Generally you configure the auth method and the providers in web.config and do the redirection to login page in the codebehind or globally in global.asax.cs
Hope this helps.
Check How to: Implement Simple Forms Authentication.
This type of authentication requires a log-in form referenced in web.config. It can be done with or without cookie: Cookieless Forms Authentication.
I'm starting to develop windows application and I've been looking around for some authenthication and authorization solution available, but no luck so far. I have to be able to allow admin create users and roles, assign users to roles and define access to controls on form for specified roles (button enabled/disabled etc).
Is there any solution out there or maybe someone could give me short description of solution he's using?
Adrian
Maybe Client Application Services are useful for you.
Have a look at Membership provider class
It depend, will this be within a network domain or will people be able to access the application over the internet. If it is you would be looking at windows authentication otherwise ASP.Net authentication would work well. Look up the ASP.Net membershp provider as it would do a lot of the grunt work for you.
I hope this helps.
I'm thinking on creating standard users, roles, permissions table schema, add contorls table and permission would be 'for a role on a control' and then in form loading event fire up a method to set Enabled proprerty of controls due to user's role's permissions. Is this good idea or i should took a hammer and get this out of my head (and if i should, please tell me why ;) )