ASP.NET based on Forms-based verification mechanism
Recently, I'm watching ASP.NET Forum, and the verification mechanism can be used to see the model mode. After reading the form of the format authentication in the ASP.NET application, the idea is very clear, and I have done a little record in order to check out : Build the Forms-based verification mechanism as follows: 1. Set IIS to set to Form Verification in Anonymous Access and ASP.NET Web.config 2, retrieve data storage verification users, and retrieve roles (if not based on roles) 3 using FormsAuthenticationTicket create a Cookie and sent back to the client, and the role of the votes stored, such as: FormsAuthentication.SetAuthCookie (Username, true | false) cookies to save time: HttpContext.Current.Response.Cookies [FormsAuthentication.FormsCookieName] .Expires = DATETIME.NOW.ADDDAYS (1)
If you need to store character, using: FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket (1, // version txtUserName.Text, // user name DateTime.Now, // creation DateTime.Now.AddMinutes (20), // Expiration false, // Persistent Roles); // User Data Roles is a role string array string encryptedticket = formsauthentication.encrypt (authticket); // encryption
Deposit cookie httpcookie authcookie = new httpcookie (Formsauthentication.formscookiename, EncryptedTicket);
Response.cookies.add (authcookie);
4, the processing procedure (the Global.asax), a ticket to create objects in the IPrincipal Application_AuthenticateRequest event code and present HttpContext.User: HttpCookie authCookie = Context.Request.Cookies [FormsAuthentication.FormsCookieName]; FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt ( AuthCookie.Value); // Decryption String [] Roles = Authticket.userData.split (new char [] {';'}); // Decompose according to the format in the deposit,; or | .... context.user = New genericprincipal (context.user.Identity, Roles); // There is httpContext.user
5, you need to control some pages, there are two methods: 5.1, Web.config
5.2, put the file that can only be accessed in some role in the same directory, add a web.config in this directory.
Description: Web.config settings for subdirectory take precedence over Web.config settings for parent directory
ASP.NET Security Validation Skinding 1, Windows-based security verification web.config file:
If you do not need any code in the .aspx file, you can implement verification, but you can import the namespace in the .aspx file to get the login user: system.security.principal if (user.Identity.isauthenticated) // Determine if the user is verified, it seems optional {WindowsIdentity objWinIdentity = WindowsIdentity.GetCurrent (); lblHelloMsg.Text = "the name:" objWinIdentity.Name "Type:" objWinIdentity.AuthenticationType "IsInRole:" User.IsInRole ( "computername // groupname" );} 2, based on Web.config Forms verification web.config file:
Protection = "all" timeout = "30">
Login.aspx file: Two text boxes need to be provided to fill in user and passwords (TXTUSR, TXTPWD), a radio box to determine whether to save or need a button control to respond to Button code as follows: Void Dologin (Object Sender, EventArgs e) {if (FormsAuthentication.Authenticate (txtUsr.Value, txtPwd.Value)) {FormsAuthentication.RedirectFromLoginPage (txtUsr.Value, chkPersist.Checked);} else // set the code integrity, can not write {Response. Write ("Authentication Fails");}} then you can get the value of the login user at other pages: if (user.Identity.isauthenticated) / / You can not judge {response.write ("Your name:" User.Identity .Name); response.write ("Verification Type:" User.Identity.AuthenticationType); // Forms, Windows, etc.
3. Based on custom Forms to verify the web.config file (basically no settings):
Protection = "all" timeout = "30">
Custom-login.aspx file, the basic principle is the same as 2 in 2, such as: if (blnisauthenticated) // Note that this BLNISAUThenticated is a defined variable / / When we entered the information and database (or XML) The information comparison, exists, set the variable to True, and counter FALSE // This is a different place to be a different place {Formsauthentication.RedirectFromLoginPage (txtusr.value, chkpersist.checked; // txtusr and chkpersist are TextBox, checkbox control, respectively } Else {// Verification failed prompt information} If the remaining information is obtained in other pages, such as 2, exiting the login response exits the login button: FormAuthentication.signout (); response.clear (); response.redirect (Request.urlreferRer.toString ()); // Redirect to the previous page
Web user authentication method
Recently, I have seen some MS portal source procedures, which is very interested in user verification.
Special finishing comments as follows: Web.config configuration: