Create an ASP.NET Application Using C# .NET

1. Open Visual Studio .NET.
2. Create a new ASP.NET Web application, and specify the name and location.

Configure the Security Settings in the Web.config File

This section demonstrates how to add and modify the <authentication> and <authorization> configuration sections to configure the ASP.NET application to use forms-based authentication.

1. In Solution Explorer, open the Web.config file.
2. Change the authentication mode to Forms.
3. Insert the <Forms> tag, and fill the appropriate attributes. Copy the following code, and then click Paste as HTML on the Edit menu to paste the code in the <authentication> section of the file:

   1: <authentication mode="Forms">

   2:    <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx" 

   3:    protection="All" path="/" timeout="30" />

   4: </authentication> 

   5:     

4. Deny access to the anonymous user in the <authorization> section as follows:

   1: <authorization>

   2:    <deny users ="?" />

   3:    <allow users = "*" />

   4: </authorization>

Create a Logon.aspx Page

1. Add a new Web Form to the project named Logon.aspx.
2. Open the Logon.aspx page in the editor, and switch to HTML view.
3. Copy the following code, and use the Paste as HTML option on the Edit menu to insert the code between the <form> tags:

   1: <h3>

   2:    <font face="Verdana">Logon Page</font>

   3: </h3>

   4: <table>

   5:    <tr>

   6:       <td>Email:</td>

   7:       <td><input id="txtUserName" type="text" runat="server"></td>

   8:       <td><ASP:RequiredFieldValidator ControlToValidate="txtUserName"

   9:            Display="Static" ErrorMessage="*" runat="server" 

  10:            ID="vUserName" /></td>

  11:    </tr>

  12:    <tr>

  13:       <td>Password:</td>

  14:       <td><input id="txtUserPass" type="password" runat="server"></td>

  15:       <td><ASP:RequiredFieldValidator ControlToValidate="txtUserPass"

  16:           Display="Static" ErrorMessage="*" runat="server" 

  17:           ID="vUserPass" />

  18:       </td>

  19:    </tr>

  20:    <tr>

  21:       <td>Persistent Cookie:</td>

  22:       <td><ASP:CheckBox id="chkPersistCookie" runat="server" autopostback="false" /></td>

  23:       <td></td>

  24:    </tr>

  25: </table>

  26: <input type="submit" Value="Logon" runat="server" ID="cmdLogin"><p></p>

  27: <asp:Label id="lblMsg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat="server" />

  28:                         

4. This Web Form is used to present a logon form to users so that they can provide their user name and password to log on to the application.
5. Switch to Design view, and save the page.

Code the Event Handler So That It Validates the User Credentials

This section presents the code that is placed in the code-behind page (Logon.aspx.cs).

1. Double-click Logon to open the Logon.aspx.cs file.
2. Import the required namespaces in the code-behind file:

   1: using System.Data.SqlClient;

   2: using System.Web.Security;

3. Create a ValidateUser function to validate the user credentials by looking in the database. (Make sure that you change the Connection string to point to your database).

   1: private bool ValidateUser( string userName, string passWord )

   2: {

   3:     SqlConnection conn;

   4:     SqlCommand cmd;

   5:     string lookupPassword = null;

   6:  

   7:     // Check for invalid userName.

   8:     // userName must not be null and must be between 1 and 15 characters.

   9:     if ( (  null == userName ) || ( 0 == userName.Length ) || ( userName.Length > 15 ) )

  10:     {

  11:         System.Diagnostics.Trace.WriteLine( "[ValidateUser] Input validation of userName failed." );

  12:         return false;

  13:     }

  14:  

  15:     // Check for invalid passWord.

  16:     // passWord must not be null and must be between 1 and 25 characters.

  17:     if ( (  null == passWord ) || ( 0 == passWord.Length ) || ( passWord.Length > 25 ) )

  18:     {

  19:         System.Diagnostics.Trace.WriteLine( "[ValidateUser] Input validation of passWord failed." );

  20:         return false;

  21:     }

  22:  

  23:     try

  24:     {

  25:         // Consult with your SQL Server administrator for an appropriate connection

  26:         // string to use to connect to your local SQL Server.

  27:         conn = new SqlConnection( "server=localhost;Integrated Security=SSPI;database=pubs" );

  28:         conn.Open();

  29:  

  30:         // Create SqlCommand to select pwd field from users table given supplied userName.

  31:         cmd = new SqlCommand( "Select pwd from users where uname=@userName", conn );

  32:         cmd.Parameters.Add( "@userName", SqlDbType.VarChar, 25 );

  33:         cmd.Parameters["@userName"].Value = userName;

  34:  

  35:         // Execute command and fetch pwd field into lookupPassword string.

  36:         lookupPassword = (string) cmd.ExecuteScalar();

  37:  

  38:         // Cleanup command and connection objects.

  39:         cmd.Dispose();

  40:         conn.Dispose();

  41:     }

  42:     catch ( Exception ex )

  43:     {

  44:         // Add error handling here for debugging.

  45:         // This error message should not be sent back to the caller.

  46:         System.Diagnostics.Trace.WriteLine( "[ValidateUser] Exception " + ex.Message );

  47:     }

  48:  

  49:     // If no password found, return false.

  50:     if ( null == lookupPassword ) 

  51:     {

  52:         // You could write failed login attempts here to event log for additional security.

  53:         return false;

  54:     }

  55:  

  56:     // Compare lookupPassword and input passWord, using a case-sensitive comparison.

  57:     return ( 0 == string.Compare( lookupPassword, passWord, false ) );

  58:  

  59: }

4. You can use one of two methods to generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event. Sample code is provided for both scenarios. Use either of them according to your requirement.
• Call the RedirectFromLoginPage method to automatically generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event:

   1: private void cmdLogin_ServerClick(object sender, System.EventArgs e)

   2: {

   3: if (ValidateUser(txtUserName.Value,txtUserPass.Value) )

   4:     FormsAuthentication.RedirectFromLoginPage(txtUserName.Value,

   5:         chkPersistCookie.Checked);

   6:     else

   7:         Response.Redirect("logon.aspx", true);

   8: }

• Generate the authentication ticket, encrypt it, create a cookie, add it to the response, and redirect the user. This gives you more control in how you create the cookie. You can also include custom data along with the FormsAuthenticationTicket in this case.

   1: private void cmdLogin_ServerClick(object sender, System.EventArgs e)

   2: {

   3:    if (ValidateUser(txtUserName.Value,txtUserPass.Value) )

   4:    {

   5:       FormsAuthenticationTicket tkt;

   6:       string cookiestr;

   7:       HttpCookie ck;

   8:       tkt = new FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now, 

   9: DateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data");

  10:       cookiestr = FormsAuthentication.Encrypt(tkt);

  11:       ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);

  12:       if (chkPersistCookie.Checked)

  13:       ck.Expires=tkt.Expiration;    

  14:             ck.Path = FormsAuthentication.FormsCookiePath; 

  15:       Response.Cookies.Add(ck);

  16:  

  17:       string strRedirect;

  18:       strRedirect = Request["ReturnUrl"];

  19:       if (strRedirect==null)

  20:             strRedirect = "default.aspx";

  21:          Response.Redirect(strRedirect, true);

  22:    }

  23:    else

  24:       Response.Redirect("logon.aspx", true);

  25: }

5. Make sure that the following code is added to the InitializeComponent method in the code that the Web Form Designer generates:

   1: this.cmdLogin.ServerClick += new System.EventHandler(this.cmdLogin_ServerClick);

Create a Default.aspx Page

This section creates a test page to which users are redirected after they authenticate. If users browse to this page without first logging on to the application, they are redirected to the logon page.

1. Rename the existing WebForm1.aspx page as Default.aspx, and open it in the editor.
2. Switch to HTML view, and copy the following code between the <form> tags:

   1: <input type="submit" Value="SignOut" runat="server" id="cmdSignOut">

3. This button is used to log off the forms authentication session.
4. Switch to Design view, and save the page.
5. Import the required namespaces in the code-behind file:

   1: using System.Web.Security;

6. Double-click SignOut to open the code-behind page (Default.aspx.cs), and copy the following code in the cmdSignOut_ServerClick event handler:

   1: private void cmdSignOut_ServerClick(object sender, System.EventArgs e)

   2: {

   3:    FormsAuthentication.SignOut();

   4:    Response.Redirect("logon.aspx", true);

   5: }

7. Make sure that the following code is added to the InitializeComponent method in the code that the Web Form Designer generates:

   1: this.cmdSignOut.ServerClick += new System.EventHandler(this.cmdSignOut_ServerClick);

8. Save and compile the project. You can now use the application.

Share on Facebook

I will waste no time and get straight down to business. The tutorial is based on 6 easy steps.

Step 1:

Creating a table in the database.

I have created a very simple table that has only two columns; username and password.

Here is the SQL:

CREATE TABLE `userstable` (
`userName` varchar(20) NOT NULL default ”,
`password` varchar(20) NOT NULL default ”,
PRIMARY KEY  (`userName`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Step 2:

Create a connection to the database. Although the file below is meant only for a database connection I have taken the liberty of using it to save some general purpose settings as well.

//dbConfig.php

<?php
/*

• The config file for the database connection and variables
• change the database name and username and password
• /

//variables for the databse connection
$serverName = “localhost”;
$userName = “manager”;
$password = “”;
$dbName = “testdatabase”;

$conn = mysql_pconnect($serverName, $userName, $password);
if (!$conn)
{
//print error message, the echo command support html encodeing.
echo(’The connection to the database could not be established!’);
die(’The connection to the database could not be established!’);
}
else
{
// select the database which you wish to opereate
mysql_select_db($dbName);

}

// other variable
$loginSuccess = “phpMembersArea.php”;
$RegisterSuccess = “phpRegister.php?op=thanks”;
$loginRequired = “phpLogin.php?op=loginFirst”;
$timeout = 3600;
$authenticatioMethod = “cookie”;

function CheckLogin() {

// fucntion that checks if some is logged in or not
global $authenticatioMethod;
if (strcmp($authenticatioMethod ,”cookie”) == 0)//we have choosen to use cookies
{

if (!isset($_COOKIE["login"]))
{
return null;
}
else
{
return $_COOKIE["login"];

}
}
else// we are using session based authentication
{
if (!$_Session["userID"] || $_Session["valid_expire_time"] < time())
{
$_Session["userID"]  = null;
$_Session["valid_expire_time"] = time()-1;
session_destroy();
return null;
}
else
{
return $_Session["userID"];
}
}
return null;
}
function RedirectTo($url)
{
//I have to use this function because the php function header can only be called
// if no output has been sent
// this solution uses java scripts so beware
echo(’<script type=”text/javascript”> document.location = ”.$url.”; </script>’);
}
?>

Step 3:

Create a Registeration Page.

I provide a simple registeration page, where you can enter two fields, username and password.

//phpRegister.php
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
<form action=”?op=register” method=”POST”>
Username: <input name=”userID” MAXLENGTH=”16″><br />
Password: <input type=”password” name=”password” MAXLENGTH=”16″><br />
<input type=”submit”>
</form>
<?php
// first we include the dbconfig file
// note that we do not need to open the connection
// when the file is included and this page is loaded, the code is automatically executed
echo(’hello’);
include (”dbConfig.php”);

/*

• Here is the plan of action, this is the page that contains the registeration form
• also this is the page that will connect to the database and execute the insert query
• so we need to know if the page is being run from a
• /

// we suppose that a variable named op would be passed with a value
// register if there is a registeration request.
if ($_GET["op"] == “register”)
{

if (!($userID = $_POST["userID"]) )
{
echo(’UserName field is missing!’);
}
else if (!($password = $_POST["password"]))
{
echo(’Password field is missing!’);
}

$query = “INSERT INTO `USERSTABLE` VALUES( ‘”.$_POST["userID"].”‘, Password(’”.$_POST["password"].”‘))”;
//note that my sql requires the password filed to be casted
// also note that . is the string concatenation operator
// also not the “ around the table name

$result = mysql_query($query, $conn);
//you can also redirect to a different page

if (!$result )
{
// make sure that the user was inserted
echo(’<br><h2>The user could not be inserted<br>’);
echo(’The error cant be displayed</h2>’);
}
else
{

REdirectTo($RegisterSuccess);
}

}
else if ($_GET["op"] == “thanks”)
{
echo(’<br><h2>The user was added successfully!</h2>’);
}
//The web form for input ability

?>
</body>
</html>

After this step you have successfully created a user account. All you need to do now is to create a login page.

Step 4:

The plan of action for our login page is that we pass it an query string argument, ‘op’ that dictates what the page does. If the value of this variable is ‘login’ the page gets the POST information and tries to login.

//phpLogin.php

<?php
include (’dbConfig.php’);
if ($_GET["op"] == “login”)//check if this is a login request
{
$query = “Select * from `userstable` where `userName`=’”.$_POST["userID"].”‘ AND `password`=Password(’”.$_POST["password"].”‘) “;

$result = mysql_query($query, $conn);
$obj = @mysql_fetch_object($result);
if ($obj)
{
// means sucessful login
$loginSucessful = 1;
//create session variables
// i will create both a login cookie
// and session variables
// and show how to use both for authentication

$_SESSION["valid_userID"] = $_POST["userID"];
$_SESSION["valide_time"] = time();
$_SESSION["valid_expire_time"] = time()+$timeout;

//set the cookies
//i create a cookie where i set the cookie information to the user name
// the userID can be encrypted also for better security.
setcookie(”login”, $_POST["userID"], time()+$timeout);

// create a cookie
}
else
{
$loginSucessful = 0;
}

if ($loginSucessful == 1)
{
//login has succeeded proceed to members area
if ($_GET["referrer"] )
{
// if we were sent to the login page due to some request of a members area page
// go to that page
RedirectTo($_POST["referrer"]);
}
else
{
RedirectTo($loginSuccess);
}
}
else
{
echo(’<br><h2>Login Information is not correct<br>’.$_POST["userID"].’ does not exist or password is incorrect</h2>’);
}
}
else if($_GET["op"] == “loginFirst”)
{
echo(’<br><h2>You must login first.</h2>’);
}
?>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
<?php echo(” <form action=”?op=login” method=”POST”>”); ?>
<table>
<tr>
<td>
UserID:
</td>
<td>
<input type = “text” name=”userID” maxlength=”16″></td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<input type = “password” name=”password” maxlength=”16″></td>
</tr>
<tr>
<td>

</td>
<td>
<input type =”submit” name=”subit” maxlength=”16″></td>
</tr>
</table>
</form>

</body>
</html>

Caution: There must be nothing before the ‘<php’ at the start of the page, if there is something the cookie would not be created. It took me some time to figure this out. Keeping this in mind can save a lot of time. Even an empty line or a space can mess things up.

PS: When a members area page is accessed without being logged in, the page redirects to the login page giving it a ‘referrer’ argument. I however could not make it work, if anyone can help please look at:

<?php echo(” <form action=”?op=login” method=”POST”>”); ?>

I was trying to replace this with

<?php echo(” <form action=”?op=login&referrer=” . $_GET["referrer"]  . “” method=”POST”>”); ?>

However, whenever there was a valid referrer the username and password is not verified, the page works fine otherwise.

Step 5:

The members area page.

//phpMembersArea.php

<?php
session_start();
include (’dbConfig.php’);
$loggedInUser = CheckLogin();
if (!$loggedInUser)// no one is logged in
{
echo(’You are not logged in’);
RedirectTo(”phpLogin.php?referrer=phpMembersArea.php”);
}
else
{
echo(’<h2>Welcome ‘.$loggedInUser.’!</h2><br>’);
}
?>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
<h1>This is the members area</h1>
<br>
<br>
<a href = “phpLogout.php”>Logout</a>
<?php

?>
</body>
</html>

The page calls the CheckLogin() function defined in the dbConfig.php. This function checks the cookie or the session variable for login information. If this information is found the login proceeds otherwise the user is redirected to the login page.

Step 6:

The logout page simply deletes the cookie and the session.

//phpLogout.php

<?php
setcookie(”login”, “”, time()-100);
include (’DbConfig.php’);

RedirectTo(”index.php”);
?>
<!–
To change this template, choose Tools | Templates
and open the template in the editor.
–>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
</body>
</html>

And there you go, you are done.

Share on Facebook

Although I assume a basic knowledge of what cookies and sessions are, we start with a quick review.

“HTTP cookies, more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a Web clientbrowser) and then sent back unchanged by client each time it accesses that server. HTTP cookies are used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. The term “cookie” is derived from “magic cookie,” a well-known concept in UNIX computing which inspired both the idea and the name of HTTP cookies. Some alternatives to cookies exist, but each has its own uses, advantages, and drawbacks.” (usually a

– Wikipedia (http://en.wikipedia.org/wiki/HTTP_cookie)

“In computer science, in particular networking, a session is a semi-permanent interactive information exchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and torn down at a later point in time. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.

…

HTTP sessions, which may allow dynamic web pages, i.e. interactive web pages, as opposed to static web pages.”

–Wikipedia (http://en.wikipedia.org/wiki/Session_(computer_science))

“Server side web sessions

Server-side sessions are handy and efficient, but can become difficult to handle in conjunction with load-balancing/high-availability systems and are not usable at all in embedded systems with no storage. The load-balancing problem can be solved by using shared storage or by applying forced peering between each client and a single server in the cluster, although this can compromise system efficiency and load distribution.

A method of using server-side sessions in systems without mass-storage is to reserve a portion of RAM for storage of session data. This method is applicable for servers with a limited number of clients (e.g. router or access point with infrequent or disallowed access to more than one client at a time).

In the two scenarios above, using client-side sessions could provide advantages over server-side sessions: in the first case by removing the limitations applied to load-balancing algorithms (which usually translates to load distribution optimisation), and in the second case by allowing the use of sessions in web applications when server disk space or RAM is not available or sufficient for this storage.”

–Wikipedia (http://en.wikipedia.org/wiki/Session_(computer_science))

Now that we have enough insight into what server side and user side security and session maintenance means, we can get down to the business of comparing the two. As it is evident up to here that the server side security (web sessions) are far more secure. There is no information that can be changed by the user, unless of course your server is hacked but then “…you have a bigger fish to fry…”, log in sessions would be the leasat of your worries. The drawback however is that the server must maintain all the information of the sessions, that too in the RAM. This can be a considerable over head for the server, not to mention can degrade performance to a great extent and may even cause the server to run out of memory. On the other hand if the session variables are to be maintained jointly on the user system and the server, this over head is avoided. The problem however is that ’smart’ users can control what cookies they send, thereby compromising security. Forging cookies is the most common way the user accounts are hacked. I sill remember the enormous number of articles on the internet regarding hacking hotmail account using cookies till hotmail solved the problem*.

Cookie based security is the most widely used these days and seems to be the clear ‘practical’ winner in the face off. However, it clearly is less secure. So I put up these questions as some food for thought.

Since the main problem with server side security is that of memory use over head. What if web languages like PHP, C# etc provide a way to store the session information on permanent storage and implement a simple ‘cache’ like system to keep only the recently used information in the RAM (Though I would suggest that the recently used information be dicarded to permanent storage if needed). This would make the server a little slower but would surely be far more secure.

PS: * How did hotmail solve the problem?

Share on Facebook