Building Secure Applications utilizing Membership and Role Management with Visual Studio 2005 and ASP.NET 2.0
Slide 2Agenda
Slide 3Membership Service
Slide 4Membership Schema Controls Login LoginStatus LoginView Other Login Controls Membership API Membership MembershipUser Membership Providers SqlMembershipProvider Other Membership Providers Membership Data SQL Server Other Data Stores
Slide 5The Membership Class
Slide 6Key Membership Methods Name Description CreateUser Adds a client to the enrollment information store DeleteUser Removes a client from the participation information store GeneratePassword Generates an irregular secret key of a predetermined length GetAllUsers Retrieves a gathering of MembershipUser articles speaking to all as of now enlisted clients GetUser Retrieves a MembershipUser protest speaking to a client UpdateUser Updates data for a predefined client ValidateUser Validates logins in light of client names and passwords
Slide 7Creating New Users attempt { Membership.CreateUser ("Jeff", "imbatman", "jeff@microsoft.com"); } get (MembershipCreateUserException e) {/Find out why CreateUser fizzled switch (e.StatusCode) { case MembershipCreateStatus.DuplicateUsername: ... case MembershipCreateStatus.DuplicateEmail: ... case MembershipCreateStatus.InvalidPassword: ... default: ... }
Slide 8Validating Logins if (Membership.ValidateUser (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, RememberMe.Checked);
Slide 9The MembershipUser Class
Slide 10Key MembershipUser Properties Name Description Comment Storage for client characterized information CreationDate Date client was added to the participation information store Email User's email address LastLoginDate Date client last signed in effectively LastPasswordChangedDate Date client's watchword was last changed UserId Unique client ID produced by enrollment supplier UserName User's enlisted client name
Slide 11Key MembershipUser Methods Name Description ChangePassword Changes client's secret word ChangePassword-QuestionAndAnswer Changes question and answer utilized for secret word recuperation GetPassword* Retrieves a watchword ResetPassword Resets a secret key by setting it to another irregular watchword
Slide 12Suspending Login Privileges if (Membership.ValidateUser (UserName.Text, Password.Text)) { MembershipUser client = Membership.GetUser (UserName.Text); user.Comment = "0";/Reset the tally of fizzled login endeavors RedirectFromLoginPage (UserName.Text, RememberMe.Checked); } else { MembershipUser client = Membership.GetUser (UserName.Text); if (client != invalid) {/Get a number of back to back fizzled login endeavors string tally = Convert.ToInt32 (user.Comment) + 1;/If the check approaches or surpasses 5, suspend login benefits if (tally >= 5) user.IsApproved = false;/Update the tally of successive fizzled login endeavors user.Comment = count.ToString (); }
Slide 13Membership Providers
Slide 14Provider Configuration
Slide 15Changing Provider Settings <membership> <providers> <remove name="AspNetSqlProvider"/> <add name="AspNetSqlProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, ..." connectionStringName="RemoteSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" description="Stores and recovers enrollment information ..."/> </providers> </membership>
Slide 16Membership
Slide 17Login Controls Control Description ChangePassword UI for changing passwords CreateUserWizard UI for making new client accounts Login UI for entering and approving client names and passwords LoginName Displays verified client names LoginStatus UI for signing in and logging out LoginView Displays diverse perspectives in light of login status and parts PasswordRecovery UI for recouping overlooked passwords
Slide 18The Login Control
Slide 19Using the Login Control <html> <body> <form runat="server"> <asp:Login RunAt="server"/> </form> </body> </html>
Slide 20Customizing the Login Control <asp:Login ID="LoginControl" RunAt="server" CreateUserText="Create new account" CreateUserUrl="CreateUser.aspx" DisplayRememberMe="false" PasswordRecoveryText="Forgotten your password?" PasswordRecoveryUrl="RecoverPassword.aspx" SubmitButtonText="Do It!" TitleText="Please Log In"/>
Slide 21Login Control Events Name Description Authenticate Fired when the client taps the Log In catch. Reason: to verify the client by approving his or her login accreditations LoggedIn Fired after a fruitful login LoggingIn Fired when the client taps the Log In catch. Reason: to prevalidate login qualifications (e.g., ensure email address is all around framed) LoginError Fired when an endeavored login falls flat
Slide 22Validating Credential Formats <asp:Login ID="LoginControl" RunAt="server" OnLoggingIn="OnValidateCredentials" ... /> . . . <script language="C#" runat="server"> void OnValidateCredentials (Object sender, CancelEventArgs e) { if (!Regex.IsMatch (LoginControl.UserName, "[a-zA-Z0-9]{6,}") || !Regex.IsMatch (LoginControl.Password, "[a-zA-Z0-9]{8,}")) { LoginControl.InstructionText = "User names and passwords " + "must contain letters and numbers just and must be at " + "least 6 and 8 characters in length, respectively"; e.Cancel = genuine; } </script>
Slide 23Layout Templates <asp:Login RunAt="server"> <LayoutTemplate> ... </LayoutTemplate> </asp:Login>
Slide 24Login Controls
Slide 25Role Management Service
Slide 26Role Management Schema Controls Login LoginStatus LoginView Other Login Controls Roles API Roles Role Providers SqlRoleProvider Other Role Providers Roles Data SQL Server Other Data Stores
Slide 27The Roles Class
Slide 28Key Roles Methods Name Description AddUserToRole Adds a client to a part CreateRole Creates another part DeleteRole Deletes a current part GetRolesForUser Gets a gathering of parts to which a client has a place GetUsersInRole Gets an accumulation of clients having a place with a predetermined part IsUserInRole Indicates whether a client has a place with a predefined part RemoveUserFromRole Removes a client from the predefined part
Slide 29Creating a New Role if (!Roles.RoleExists ("Developers")) { Roles.CreateRole ("Developers"); }
Slide 30Adding a User to a Role string name = Membership.GetUser ().Username; Roles.AddUserToRole (name, "Developers");
Slide 31Enabling the Role Manager <configuration> <system.web> <roleManager enabled="true"/> </system.web> </configuration>
Slide 32Role Caching
Slide 33Enabling Role Caching <configuration> <system.web> <roleManager enabled="true" cacheRolesInCookie="true"/> <!- - Other roleManager properties (and their defaults) include: cookieName=".ASPXROLES"/Cookie name cookieTimeout="30"/Cookie lifetime cookiePath="/"/Cookie way cookieRequireSSL="false"/Restrict treat to SSL? cookieSlidingExpiration="true"/Renew terminating treats? createPersistentCookie="false"/Issue industrious treat? cookieProtection="All"/>/Cookie assurance level - > </system.web> </configuration>
Slide 34Role Management Providers
Slide 35Role Management
SPONSORS
SPONSORS
SPONSORS