1. Objects protected by Forms
Forms verification only protected the ASP.NET file. He protects the ASPX files, ASMX files, and other files registered to the ASP.NET, but do not protect files that are not ASP.NET - such as file extensions are .htm or .html files. Because ASP.NET never sees a request for files that have not been registered to it.
2.Web.config's Location section
Using the Location section, you can easily set the scope of protection of the entire application in the root directive web.config. Here is an example.
Use the Location section to specify three different protection measures, where secret / management is added in the Protection Level of Secret.
3. Free setting to verify the timeout time of the cookie.
In the Formsauthentication.SetAuthCookie (String, Bool) method, there is a parameter to set the verification cookie is temporary or permanent. If TRUE, that is permanent, the default is 50 years (...), but we can change this number by programming, which enables a lot of places with "Selecting Cookie Retention Time".
/ / Add a verification credential to the user
Formsauthentication.seTauthCookie (username.text, true);
// Get the validation cookie, the value of FormSauthentication.FormScookieName is the cookie's Name default is .aspxauth, you can change in web.config
Httpcookie coo = response.cookies [formsauthentication.formscookiename];
/ / According to the user's choice of RadiobuttonList, change the timeout time of the cookie
Switch (Timeout.SelectedValue)
{
Case "1":
Coo.expires = datetime.now new timeespan (0, 0, 1, 0);
Break;
Case "10":
Coo.expires = datetime.now new timeespan (0,0,10,0);
Break;
Case "60":
Coo.expires = datetime.now new timeespan (0,0,60,0);
Break;
DEFAULT:
Coo.expires = datetime.now new timeespan (0, 0, 1, 0);
Break;
}
4. Get user information
This question is how can I get a username after Forms verification. In fact, it is also simple, complete this task with the User property of Page. The user property returns an IPRINCIPAL object, then IPrIncipal has an Identity property that can get the identity of the current user.
Again this User, is to obtain or set security information for the current HTTP request. The httpContext.user property provides programming access to the properties and methods of the IPrIncipal interface.
The iPrincipal object indicates the security context of the user who is running it, including the user's identity and the role thereof.
// iprincipal interface properties Identity
Response.Output.write (page.user.Identity.name "
");
Response.Output.write (page.user.Identity.AuthenticationType "
);
Response.Output.write (page.user.Identity.isauthenticated "
);
// iPrincipal interface method isinrole
Response.write (page.user.isinrole ("manager");
5. Use the role.
The verification method for demonstrating the Location festival is based on role verification. Role This word can refer to the role in MSSQL, is a series of different permissions, such as only the character is Manager's person who can view secret / management.aspx.
The specific usage is to add a role field while defining the user, this field assigns a role. Then, when verified, the user's role is added to the user credential, and finally Web.config determines whether the user has power to view the corresponding page according to the user's role.
Note that I am here to say that the user profiles are in the database. The following code is placed in the global.asax.cs file.
Protected Void Application_AuthenticateRequest (Object Sender, Eventargs E)
{
// Get the current httpapplication, define all application objects, properties, and events in the ASP.NET application.
HTTPApplication APP = (httpapplication) Sender;
/ / Check if the user passes whether the verification and verification type is Forms verification
App.Request.Isauthenticate && app.user.Identity is formsidentity
{
/ / Turn the current user's identity into FormSidentity
Formsidentity FID = (FormSidentity) app.user.identity;
/ / Get the role of this user
String role = getrole (FID.NAME);
// To add Roles to the current user by setting genericprincipal. GenericPrincipal: This class represents the role of the current user. IF (role! = null)
App.Context.user = new genericprincipal (FID, new string [] {role});
}
}
/ / Get the role of the user
Private string getrole (String name)
{
String strconn = configurationSettings.appsettings [0];
SqlConnection Conn = New SqlConnection (STRCONN);
String SQL = "SELECT ROLE from Users where UserName = @username";
Sqlcommand cmd = new SQLCOMMAND (SQL, CONN);
SQLParameter Uname = New Sqlparameter ("@ username", SqldbType.varchar, 50);
uname.value = name;
Cmd.Parameters.Add (uname);
Try
{
Cn.open ();
Object role = cmd.executescalar ();
IF (Role Is DBNULL)
Return NULL;
Return (String) Role;
}
Catch (SQLException)
{
Return NULL;
}
Finally
{
CONN.CLOSE ();
}
}
For example, UserName: NOTUS / Password: WEI / ROLE: CODER. The user performs Forms authentication when the user is logged in. If it passes, the authentication credentials are set, and the Application_AuthenticateRequest event is started, and the user's role information is added to the CODER here. This allows the user to access the coo.aspx because its role is CODER, or you can access files in Secret, but you cannot access Secret / Management.aspx because it is scheduled to be Manager, which can be accessed by the web.config. file.
6. User legality verification
Here is the code I have used, and it is passed by the way.
Public Bool CHECK (String Uid, String PWD)
{
String strconn = configurationSettings.appsettings [0];
SqlConnection Conn = New SqlConnection (STRCONN);
String SQL = "SELECT Password from Users where username = @ username";
Sqlcommand cmd = new SQLCOMMAND (SQL, CONN);
SQLParameter Uname = New Sqlparameter ("@ username", SqldbType.varchar, 50);
uname.value = uid;
Cmd.Parameters.Add (uname);
Try
{
Cn.open ();
Object password = cmd.executescalar ();
PASSWORD IS DBNULL
Return False;
IF (String) Password! = PWD)
Return False;
Return True;
}
Catch (Sqlexception EX) {
Return False;
}
Finally
{
CONN.CLOSE ();
}
}
