Most Web applications need to be secure because the apps allow users to sign up and log in and out of the site. Web application security is used to control access to all or part of a site.
Beginning with ASP.NET 2.0, the Membership API was added to simplify adding such security to a Web application. Find out how to use the Membership API with a SQL Server backend.
Prior to version 2.0, .NET allowed developers to implement site security by providing a way to use Windows authentication, as well as a forms-based model. An issue with these approaches is the amount of development work that's necessary to get them working.
In ASP.NET 2.0, the Membership API has been added; it takes over where the forms-based approach ends. The Membership API also allows you to create, delete, and edit user properties. It includes two standard Membership providers that allow you to integrate with Active Directory or utilize a SQL Server backend. You may develop a custom provider to use with the Membership API as well.
The Membership API is available with the Membership class in the System.Web.Security namespace. It exposes the following methods for working with site users:
- CreateUser: Allows you to create a new user.
- DeleteUser: Allows you to delete a user.
- FindUserByEmail: Allows you to find users with a particular e-mail address.
- FindUsersByName: Allows you to find users with a particular username.
- GeneratePassword: Allows you to generate a random password.
- GetAllUsers: Returns all users.
- GetNumberOfUsersOnline: Returns all users currently on the site.
- GetUser: Allows you to find a user by username.
- GetUserNameByEmail: Allows you to find a user by e-mail address.
- UpdateUser: Allows you to update a user.
- ValidateUser: Allows you to validate a user and password. ValidateUser is used to log a user onto the site.
These methods offer everything necessary to provide basic site security.
Using SQL Server as the backend data store
SQL Server is the default Membership provider; however, it does require setup to make it work. The.NET Framework includes a command-line tool (aspnet_regsql.exe) for adding the necessary database objects. The tool is available in this default directory:
When this tool runs without command-line parameters, a wizard guides you through setup. Basically, you choose the database server and the database to use. Then, a number of tables, views, and stored procedures are added to the database; these are used by the Membership API.
With the database set up, you may use it in your code as the data provider for membership services. The database connection string and the membership settings are configured in the application's web.config file.
The database connection string is defined in the connectionStrings element. The following example connects to an instance of SQL Server 2005 using SQL Server security:
<add name="Test" connectionString="Data Source=TestServer;User ID=Chester;Password=Tester;Initial Catalog=MembershipTest;"/></connectionStrings>
Other sections are added to enable the Membership API. First, the authentication element (which is contained in the system.web element) is set to Forms. Next, the membership element is added (under system.web). It contains the providers element, which is mapped to the database connection string in my example -- it uses the name assigned to the connection string.
<authentication mode="Forms" />
(To conserve space, this snippet only contains a portion of the complete web.config.)
Now with the backend connections set up, it can be used in an application.
Combining with Login controls
A great aspect of the Membership API is that the Login controls available within Visual Studio 2005/2008 are designed to work with it. You can easily drop one of the controls on an ASP.NET Web Form and tie it to a membership provider defined in the web.config file. These login controls include the following:
- Login: Provides username and password textboxes for user logon. An error message is displayed if the logon fails. The ValidateUser method is used to check the user against the database.
- LoginView: Retrieves a user's login status. LoginView uses this status to display content (defined in control) regardless of whether a user is logged in.
- PasswordRecovery: Provides the functionality to retrieve or reset a user's password based on their username.
- LoginStatus: Detects the user's authentication status and displays the appropriate login/logout option.
- LoginName: Displays the currently authenticated user's name on the page. No value is displayed if the user is not logged on.
- CreateUserWizard: Provides an interface for registering a user on the site. By default, it collects username, password, e-mail address, and validation question. It can be extended to include more fields and steps within the process.
- ChangePassword: Allows the user to change their current password.
As an example, the following code snippet shows how the CreateUserWizard control may be used on an ASP.NET Web Form. The MembershipProvider attribute is set to the value assigned to the provider in our web.config file.
The WizardSteps allows you to customize the steps in the registration process -- that is accomplished in the following example with the message that is displayed upon successful registration (asp:CompleteWizardStep element). You may define additional steps as well.
All of the controls are easily tied to a membership provider, so it's simple to use the controls in a Web application without any code. Another good example is the LoginStatus control, which allows you to display custom messages according to a user's status.
LogoutText="Not logged in"LoginText="Not Logged in" />
Easily secure your application
One of the goals with new releases of the .NET Framework is to simplify common programming chores. Providing site security via registration and logon is a common aspect of most Web applications. The Membership API provides methods for providing this functionality, and these methods are tied to the Login controls available for use on ASP.NET Web Forms.
What ASP.NET 2.0 features simplify your projects? What features would you like to see added to ASP.NET? Share your thoughts with the Web Developer community.
Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.
---------------------------------------------------------------------------------------Get weekly development tips in your inbox Keep your developer skills sharp by signing up for TechRepublic's free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!
Tony Patton has worn many hats over his 15+ years in the IT industry while witnessing many technologies come and go. He currently focuses on .NET and Web Development while trying to grasp the many facets of supporting such technologies in a production environment on a daily basis.