1 / 36

Building Secure Applications using Membership and Role Management with Visual Studio 2005 and ASP.NET 2.0

Building Secure Applications using Membership and Role Management with Visual Studio 2005 and ASP.NET 2.0. Agenda. Membership Service. Membership Schema. Controls. Login. LoginStatus. LoginView. Other Login Controls. Membership API. Membership. MembershipUser. Membership Providers.

issac
Download Presentation

Building Secure Applications using Membership and Role Management with Visual Studio 2005 and ASP.NET 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Secure Applications using Membership and Role Management with Visual Studio 2005 and ASP.NET 2.0

  2. Agenda

  3. Membership Service

  4. Membership Schema Controls Login LoginStatus LoginView Other Login Controls Membership API Membership MembershipUser Membership Providers SqlMembershipProvider Other Membership Providers Membership Data SQL Server Other Data Stores

  5. The Membership Class

  6. Key Membership Methods Name Description CreateUser Adds a user to the membership data store DeleteUser Removes a user from the membership data store GeneratePassword Generates a random password of a specified length GetAllUsers Retrieves a collection of MembershipUser objects representing all currently registered users GetUser Retrieves a MembershipUser object representing a user UpdateUser Updates information for a specified user ValidateUser Validates logins based on user names and passwords

  7. Creating New Users try { Membership.CreateUser ("Jeff", "imbatman", "jeff@microsoft.com"); } catch (MembershipCreateUserException e) { // Find out why CreateUser failed switch (e.StatusCode) { case MembershipCreateStatus.DuplicateUsername: ... case MembershipCreateStatus.DuplicateEmail: ... case MembershipCreateStatus.InvalidPassword: ... default: ... } }

  8. Validating Logins if (Membership.ValidateUser (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, RememberMe.Checked);

  9. The MembershipUser Class

  10. Key MembershipUser Properties Name Description Comment Storage for user-defined data CreationDate Date user was added to the membership data store Email User's e-mail address LastLoginDate Date user last logged in successfully LastPasswordChangedDate Date user's password was last changed UserId Unique user ID generated by membership provider UserName User's registered user name

  11. Key MembershipUser Methods Name Description ChangePassword Changes user's password ChangePassword- QuestionAndAnswer Changes question and answer used for password recovery GetPassword* Retrieves a password ResetPassword Resets a password by setting it to a new random password

  12. Suspending Login Privileges if (Membership.ValidateUser (UserName.Text, Password.Text)) { MembershipUser user = Membership.GetUser (UserName.Text); user.Comment = "0"; // Reset the count of failed login attempts RedirectFromLoginPage (UserName.Text, RememberMe.Checked); } else { MembershipUser user = Membership.GetUser (UserName.Text); if (user != null) { // Get a count of consecutive failed login attempts string count = Convert.ToInt32 (user.Comment) + 1; // If the count equals or exceeds 5, suspend login privileges if (count >= 5) user.IsApproved = false; // Update the count of consecutive failed login attempts user.Comment = count.ToString (); } }

  13. Membership Providers

  14. Provider Configuration

  15. Changing Provider Settings <membership> <providers> <remove name="AspNetSqlProvider" /> <add name="AspNetSqlProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, ..." connectionStringName="RemoteSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" description="Stores and retrieves membership data ..." /> </providers> </membership>

  16. Membership

  17. Login Controls Control Description ChangePassword UI for changing passwords CreateUserWizard UI for creating new user accounts Login UI for entering and validating user names and passwords LoginName Displays authenticated user names LoginStatus UI for logging in and logging out LoginView Displays different views based on login status and roles PasswordRecovery UI for recovering forgotten passwords

  18. The Login Control

  19. Using the Login Control <html> <body> <form runat="server"> <asp:Login RunAt="server" /> </form> </body> </html>

  20. Customizing the Login Control <asp:Login ID="LoginControl" RunAt="server" CreateUserText="Create new account" CreateUserUrl="CreateUser.aspx" DisplayRememberMe="false" PasswordRecoveryText="Forgotten your password?" PasswordRecoveryUrl="RecoverPassword.aspx" SubmitButtonText="Do It!" TitleText="Please Log In" />

  21. Login Control Events Name Description Authenticate Fired when the user clicks the Log In button. Purpose: to authenticate the user by validating his or her login credentials LoggedIn Fired following a successful login LoggingIn Fired when the user clicks the Log In button. Purpose: to prevalidate login credentials (e.g., make sure e-mail address is well-formed) LoginError Fired when an attempted login fails

  22. Validating Credential Formats <asp:Login ID="LoginControl" RunAt="server" OnLoggingIn="OnValidateCredentials" ... /> . . . <script language="C#" runat="server"> void OnValidateCredentials (Object sender, CancelEventArgs e) { if (!Regex.IsMatch (LoginControl.UserName, "[a-zA-Z0-9]{6,}") || !Regex.IsMatch (LoginControl.Password, "[a-zA-Z0-9]{8,}")) { LoginControl.InstructionText = "User names and passwords " + "must contain letters and numbers only and must be at " + "least 6 and 8 characters long, respectively"; e.Cancel = true; } } </script>

  23. Layout Templates <asp:Login RunAt="server"> <LayoutTemplate> ... </LayoutTemplate> </asp:Login>

  24. Login Controls

  25. Role Management Service

  26. Role Management Schema Controls Login LoginStatus LoginView Other Login Controls Roles API Roles Role Providers SqlRoleProvider Other Role Providers Roles Data SQL Server Other Data Stores

  27. The Roles Class

  28. Key Roles Methods Name Description AddUserToRole Adds a user to a role CreateRole Creates a new role DeleteRole Deletes an existing role GetRolesForUser Gets a collection of roles to which a user belongs GetUsersInRole Gets a collection of users belonging to a specified role IsUserInRole Indicates whether a user belongs to a specified role RemoveUserFromRole Removes a user from the specified role

  29. Creating a New Role if (!Roles.RoleExists ("Developers")) { Roles.CreateRole ("Developers"); }

  30. Adding a User to a Role string name = Membership.GetUser ().Username; Roles.AddUserToRole (name, "Developers");

  31. Enabling the Role Manager <configuration> <system.web> <roleManager enabled="true" /> </system.web> </configuration>

  32. Role Caching

  33. Enabling Role Caching <configuration> <system.web> <roleManager enabled="true" cacheRolesInCookie="true" /> <!-- Other roleManager attributes (and their defaults) include: cookieName=".ASPXROLES" // Cookie name cookieTimeout="30" // Cookie lifetime cookiePath="/" // Cookie path cookieRequireSSL="false" // Restrict cookie to SSL? cookieSlidingExpiration="true" // Renew expiring cookies? createPersistentCookie="false" // Issue persistent cookie? cookieProtection="All" /> // Cookie protection level --> </system.web> </configuration>

  34. Role Management Providers

  35. Role Management

More Related