Wednesday 13 June 2012

Securing a web page from unauthorized access ASP.NET & C#

ASP.NET provides with the  feature of Login Control which helps you to easily build a user registration system for your website. This feature , Login control is used to display user registration forms, login forms, change password forms, and password reminder forms.
The Login controls use ASP.NET Membership(ASP.NET version 2.0 introduces a membership feature, which provides a consistent API for user credential storage and management) to authenticate users, create new users, and change user properties. When you use the Login controls, you are not required to write any code when performing these tasks.
We shall now  learn how to password-protect a section of our website and enable users to register and log in to our website.
The Login control supports the following properties:
  • Login Enables you to display a user login form.
  • CreateUserWizard Enables you to display a user registration form.
  • LoginStatus Enables you to display either a log in or log out link, depending on a user’s authentication status.
  • LoginName Enables you to display the current user’s registered username.
  • ChangePassword Enables you to display a form that allows users to change their passwords.
  • PasswordRecovery Enables you to display a form that allows users to receive an email containing their password.
  • LoginView Enables you to display different content to different users depending on the their authentication status or role.

    Steps:

1.To password-protect a page which is stored inside our secured folder , we need to make two configuration settings to our application and is to configure both authentication and authorization for the page's access.

2. Authentication:

This is the step 1 of  mission :)
By default, Windows authentication is enabled. To use the Login controls, you need to enable Forms authentication by adding the web configuration file of the root folder of our application.

3.Authorization:

By default, all users have access to all pages in an application. If you want to restrict access to the pages in a folder, you need to configure authorization for the folder.
we use two symbols to set the restrict the access to our secured page in the folder . they are as follows:
  1. <deny users="?"/>
  2. <deny users="*"/>
?-anonymous users are prevented from accessing any pages in the folder.Now if anyone attempts to request the secured page after adding the web configuration file (for authorization of the user, located inside the folder in which the secured page is stored), he will be redirected to a page for Login automatically. Therefore, the next page that we need to create is the page containing the login control we call it Login.aspx  page. (By default, this page must be located in the root of your application.)

4.Creating Login.aspx


<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
    <title>Login</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>

    <asp:Login
        id="Login1"
        CreateUserText="Register"
        CreateUserUrl="~/Register.aspx"
        Runat="server" />

    </div>
    </form>
</body>
</html>

5.Creating Register.aspx

The Login control includes a CreateUserText and CreateUserUrl property. Adding these properties to the Logincontrol causes the control to display a link to a page that enables a new user to register for your application. TheLogin control in links to a page named Register.aspx.

The Register.aspx page contains a CreateUserWizard control. This control automatically generates a user registration form. After you submit the form, a new user is created, and you are redirected back to the secured page.

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
    <title>Register</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>

    <asp:CreateUserWizard
        id="CreateUserWizard1"
        ContinueDestinationPageUrl="~/SecretFiles/Secret.aspx"
        Runat="server" />

    </div>
    </form>
</body>
</html>

Now lets do an Exercise:


Create a page with some content .secure this page so that authorized user is able to access your page to check the authorization of the user. Use login control for unregistered user to create a registration form using registration control and send confirmation mail to the user


The structure of  your project should look somewhat similar to image given below:

Note: I named my project EmailConfirmation(to avoid confusion) you can name it some thing else .


Secured.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="secured.aspx.cs" Inherits="secured_secured" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
    <h1>shhhhhh ! i am a secured form</h1>
    </div>
    </form>
</body>
</html>

//This web.config file come under your projects root folder.
Web.config
<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>

<system.net>
    <mailSettings>
      <smtp deliveryMethod="PickupDirectoryFromIis"/>
      </mailSettings>
  </system.net>

       <system.web>
              <compilation debug="true" targetFramework="4.0"/>
              <authentication mode="Forms">
                     <forms>
                           <credentials passwordFormat="Clear">
                                  <user name="ravi" password="kiran"/>
                           </credentials>
                     </forms>
              </authentication>
       </system.web>
</configuration>


Register.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Register.aspx.cs" Inherits="Register" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
    <asp:CreateUserWizard ID="createRegistration" ContinueDestinationPageUrl="~/secured/secured.aspx" runat="server">
    <MailDefinition BodyFileName="Register.txt" Subject="Registration Confirmation" From="Admin@YourSite.com"></MailDefinition>
    </asp:CreateUserWizard>
    </div>
    </form>
</body>
</html>

Login.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Login.aspx.cs" Inherits="Login" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
    <asp:Login ID="login1" CreateUserText="Register Me" CreateUserUrl="~/Register.aspx" onAuthenticate="login_authenticate" runat="server"></asp:Login>
    </div>
    </form>
</body>
</html>

Login.aspx.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;

public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void login_authenticate(object sender, AuthenticateEventArgs e)
    {
        string username = login1.UserName;
        string password = login1.Password;
        e.Authenticated = FormsAuthentication.Authenticate(username, password);
    }
}



//This web.config file is a part of the Secured folder.
Web.config

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
</configuration>



Register.txt
Thank you for registering !

Hope you have good experience with us !





I hope you find it usefull.:)

No comments:

Post a Comment