ptg 1214 CHAPTER 27 Using ASP.NET Membership You can add a machineKey element with explicit keys to either the machine root web configuration file or to particular application web configuration files. If you don’t want to share the same keys across all the applications on a web server, you should add the machineKey element only to the applications that you need to share. Using Forms Authentication Across Domains In the previous section, you learned how to share the same authentication cookie across applications located on the same server or a different server. But how do you share the same authentication cookie across domains? A browser cookie is always domain relative. For example, the Amazon website cannot read cookies set by the Barnes & Noble website, which is a good thing. However, you might discover that you need to share authentication information across websites with different domains. You can work around this problem by passing an authentication ticket in a query string parameter rather than in a cookie. There is nothing to prevent you from passing query strings between domains. To enable this scenario, you must configure your applications to accept authentication tickets passed in a query string. The web configuration file in Listing 27.6 includes an enableCrossAppRedirects attribute that enables sharing authentication tickets across domains. FIGURE 27.1 Generating cryptographically strong keys. From the Library of Wow! eBook ptg 1215 Configuring Authentication LISTING 27.6 Web.config <?xml version=”1.0”?> <configuration> <system.web> <authentication mode=”Forms”> <forms enableCrossAppRedirects=”true” /> </authentication> <machineKey decryption=”AES” validation=”SHA1” decryptionKey=”306C1FA852AB3B0115150DD8BA30821CDFD125538A0C606DACA5 ➥ 3DBB3C3E0AD2” validationKey=”61A8E04A146AFFAB81B6AD19654F99EA7370807F18F5002725DAB98B8E ➥ FD19C711337E26948E26D1D174B159973EA0BE8CC9CAA6AAF513BF84E44B2247792265” /> </system.web> </configuration> If you add the web configuration file in Listing 27.6 to two applications located in different domains, the two applications can share the same authentication ticket. WARNING Make sure that you change the validation and encryption keys in Listing 27.6. You can use the GenerateKeys.aspx page discussed in the previous section to generate new random keys. When you link or redirect from one application to another, you must pass the authentica- tion ticket in a query string parameter. The page in Listing 27.7 adds the necessary query string parameter to a hyperlink. LISTING 27.7 QueryStringAuthenticate.aspx <%@ Page Language=”C#” %> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> <script runat=”server”> void Page_Load() { string cookieName = FormsAuthentication.FormsCookieName; string cookieValue = FormsAuthentication.GetAuthCookie(User.Identity.Name, false).Value; 27 From the Library of Wow! eBook ptg 1216 lnkOtherDomain.NavigateUrl += String.Format(“?{0}={1}”, cookieName, ➥ cookieValue); } </script> <html xmlns=”http://www.w3.org/1999/xhtml” > <head id=”Head1” runat=”server”> <title>Query String Authenticate</title> </head> <body> <form id=”form1” runat=”server”> <div> <asp:HyperLink id=”lnkOtherDomain” Text=”Link to Other Domain” NavigateUrl=”http://www.OtherDomain.com/Secret.aspx” Runat=”server” /> </div> </form> </body> </html> </html> Using the FormsAuthentication Class The main application programming interface for interacting with Forms authentication is the FormsAuthentication class. This class supports the following properties: . CookieDomain—Returns the domain associated with the authentication cookie. . CookieMode—Returns the cookieless authentication mode. Possible values are AutoDetect, UseCookies, UseDeviceProfile, and UseUri. . CookiesSupported—Returns True when a browser supports cookies and Forms authentication is configured to use cookies. . DefaultUrl—Returns the URL of the page to which a user is redirected after being authenticated. . EnableCrossAppRedirects—Returns True when an authentication ticket can be removed from a query string. . FormsCookieName—Returns the name of the authentication cookie. . FormsCookiePath—Returns the path associated with the authentication cookie. . LoginUrl—Returns the URL of the page to which a user is redirected when being authenticated. CHAPTER 27 Using ASP.NET Membership From the Library of Wow! eBook ptg 1217 Configuring Authentication 27 . RequireSSL—Returns True when the authentication cookie must be transmitted with SSL (the Secure Sockets Layer). . SlidingExpiration—Returns True when the authentication cookie uses a sliding expiration policy. These properties return the configuration settings for Forms authentication from the web configuration file. The FormsAuthentication class supports the following methods: . Authenticate—Enables you to validate a username and password against a list of user- names and passwords stored in the web configuration file. . Decrypt—Enables you to decrypt an authentication cookie. . GetAuthCookie—Enables you to retrieve an authentication cookie. . GetRedirectUrl—Enables you to retrieve the path to the original page that caused the redirect to the Login page. . HashPasswordForStoringInConfigFile—Enables you to hash a password so that it can be stored in the web configuration file. . RedirectFromLoginPage—Enables you to redirect a user back to the original page requested before the user was redirected to the Login page. . RedirectToLoginPage—Enables you to redirect the user to the Login page. . RenewTicketIfOld—Enables you to update the expiration time of an authentication cookie. . SetAuthCookie—Enables you to create and issue an authentication cookie. . SignOut—Enables you to remove an authentication cookie and log out a user. You can use the methods and properties of the FormsAuthentication class to build a user registration and authentication system without using ASP.NET Membership. For example, the web configuration file in Listing 27.8 contains a list of usernames and passwords. LISTING 27.8 Web.Config <?xml version=”1.0”?> <configuration> <system.web> <authentication mode=”Forms”> <forms> <credentials passwordFormat=”Clear”> <user name=”Bill” password=”secret” /> <user name=”Jane” password=”secret” /> <user name=”Fred” password=”secret” /> </credentials> From the Library of Wow! eBook ptg 1218 FIGURE 27.2 Authenticating against web configuration credentials. </forms> </authentication> </system.web> </configuration> The web configuration file in Listing 27.8 contains a forms element that contains a credentials element. The credentials element includes a list of usernames and passwords. Notice that the credentials element includes a passwordFormat attribute that is set to the value Clear. If you prefer, rather than store passwords in clear text, you can store password hash values. That way, anyone working on the web server can’t see everyone else’s pass- words. The other two possible values for the passwordFormat attribute are MD5 and SHA1. NOTE If you need to hash a password so you can store it in the web configuration file, you can use the (appropriately named) FormsAuthentication.HashPasswordForStoring InConfigFile() method. This method accepts a clear text password and the name of a hash algorithm, and it returns a hashed version of the password. The Login page in Listing 27.9 contains a User Name and a Password text box (see Figure 27.2). CHAPTER 27 Using ASP.NET Membership From the Library of Wow! eBook ptg 1219 Configuring Authentication 27 LISTING 27.9 FormsLogin.aspx <%@ Page Language=”C#” %> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> <script runat=”server”> protected void btnLogin_Click(object sender, EventArgs e) { if (FormsAuthentication.Authenticate(txtUserName.Text,txtPassword.Text)) FormsAuthentication.RedirectFromLoginPage( txtUserName.Text, chkRememberMe.Checked); else lblError.Text = “Invalid user name/password”; } </script> <html xmlns=”http://www.w3.org/1999/xhtml” > <head id=”Head1” runat=”server”> <title>Forms Login</title> </head> <body> <form id=”form1” runat=”server”> <div> <asp:Label id=”lblError” EnableViewState=”false” ForeColor=”Red” Runat=”server” /> <br /><br /> <asp:Label id=”lblUserName” Text=”User Name:” AssociatedControlID=”txtUserName” Runat=”server” /> <br /> <asp:TextBox id=”txtUserName” Runat=”server” /> <br /><br /> <asp:Label id=”lblPassword” Text=”Password:” AssociatedControlID=”txtPassword” Runat=”server” /> From the Library of Wow! eBook ptg 1220 CHAPTER 27 Using ASP.NET Membership <br /> <asp:TextBox id=”txtPassword” TextMode=”Password” Runat=”server” /> <br /><br /> <asp:CheckBox id=”chkRememberMe” Text=”Remember Me” Runat=”server” /> <br /><br /> <asp:Button id=”btnLogin” Text=”Login” OnClick=”btnLogin_Click” Runat=”server” /> </div> </form> </body> </html> When you click the Login button, the btnLogin_Click() handler executes and the FormsAuthentication.Authenticate() method checks whether the username and password entered into the TextBox controls match a username and password in the web configuration file. If the user successfully authenticates, the FormsAuthentication.RedirectFromLoginPage() method is called. The RedirectFromLoginPage() method does two things. The method adds an authentica- tion cookie to the user’s browser. The method also redirects the user back to whatever page the user originally requested. If the user requests the Login page directly, the user is redi- rected to the Default.aspx page. The second parameter passed to the RedirectFromLoginPage() method indicates whether you want to create a session or persistent cookie. If you create a persistent cookie, a user does not need to log in when the user returns to the website in the future. Using the User Class You can use the Page.User or the HttpContext.User property to retrieve information about the current user. The Page.User property exposes a Principal object that supports the following method: . IsInRole—Enables you to check whether a user is a member of a particular role. From the Library of Wow! eBook ptg 1221 Configuring Authorization 27 For example, when Windows authentication is enabled, you can use the IsInRole() method to check whether a user is a member of a particular Microsoft Windows group such as the BUILTIN\Administrators group: if (User.IsInRole(“BUILTIN\Administrators”)) { // Do some Administrator only operation } NOTE If the Role Manager is enabled, you must configure the Role Manager to use the WindowsTokenRoleProvider before you can use the User.IsInRole() method with Windows groups. The Principal object also includes an Identity property that enables you to get informa- tion about the current user’s identity. The Identity object supports the following three properties: . AuthenticationType—Enables you to determine how the user was authenticated. Examples of possible values are Forms, Basic, and NTLM. . IsAuthenticated—Enables you to determine whether a user is authenticated. . Name—Enables you to retrieve the user’s name. If you want to get the name of the current user, you can use logic that looks like this: Dim name As String = User.Identity.Name If a user is not authenticated, the User.Identity.Name property returns an empty string. Configuring Authorization Authorization refers to the process of identifying the resources that you are allowed to access. You control authorization by adding an authorization element to a web configuration file. Authorization works the same way regardless of the type of authentication that is enabled. In other words, you configure authorization in the same way when using Forms, Windows, and .NET Passport authentication. Typically, you place all the pages that you want to password-protect in a separate folder. If you add a web configuration file to the folder, the settings in the web configuration file apply to all pages in the folder and all subfolders. From the Library of Wow! eBook ptg 1222 CHAPTER 27 Using ASP.NET Membership For example, if you add the web configuration file in Listing 27.10 to a folder, then unau- thenticated users are blocked from accessing pages in the folder. LISTING 27.10 SecretFiles\Web.Config <?xml version=”1.0”?> <configuration> <system.web> <authorization> <deny users=”?”/> </authorization> </system.web> </configuration> If you add the file in Listing 27.10 to a folder, unauthenticated users cannot access any pages in the folder. When Forms authentication is enabled, unauthenticated users are automatically redirected to the Login page. The web configuration file in Listing 27.10 contains an authorization element that contains a single authorization rule. The configuration file denies access to anonymous users. The ? symbol represents anonymous (unauthenticated) users. You can use the following two special symbols with the users attribute: . ?—Represents unauthenticated users. . *—Represents all users (unauthenticated or authenticated). You also can assign a particular username, or comma-delimited list of usernames, to the deny element. For example, the authorization element in Listing 27.11 enables access for a user named Jane, but denies access to anyone else (even authenticated users). LISTING 27.11 SecretFiles\Web.Config <?xml version=”1.0”?> <configuration> <system.web> <authorization> <allow users=”Jane” /> <deny users=”*” /> </authorization> </system.web> </configuration> From the Library of Wow! eBook ptg 1223 Configuring Authorization 27 The order of the authorization rules is important. The ASP.NET Framework uses a first- match algorithm. If you switched the allow and deny rules in Listing 27.11, no one, not even Jane, would be allowed to access the pages in the folder. NOTE You c an prevent anonymou s user s from accessing any page in an application by adding an authorization element to the application root web configuration file. In that case, anonymous users are still allowed to access the Login page. (Otherwise, no one could log in when using Forms authentication.) VISUAL WEB DEVELOPER NOTE If you prefer, you can configure authorization rules by using the Web Site Administration Tool. This tool provi des you wi th a fo rm interface fo r configuring aut horizat ion r ules f or different folders. You can open the Web Site Administration Tool by selecting Website, ASP.NET Configuration. Authorizing by Role When creating authorization rules, you can authorize by user role. For example, the web configuration file in Listing 27.12 prevents access to any pages in a folder by anyone except members of the Administrators role. LISTING 27.12 SecretFiles\Web.Config <?xml version=”1.0”?> <configuration> <system.web> <authorization> <allow roles=”Administrator”/> <deny users=”*”/> </authorization> </system.web> </configuration> When Forms authentication is enabled, the role refers to a custom role. In the final section of this chapter, “Using the Role Manager,” you learn how to configure and create custom roles. When Windows authentication is enabled, the role refers to a Microsoft Windows group. From the Library of Wow! eBook . of Wow! eBook ptg 1220 CHAPTER 27 Using ASP. NET Membership <br /> < ;asp: TextBox id=”txtPassword” TextMode=”Password” Runat=”server” /> <br /><br /> < ;asp: CheckBox id=”chkRememberMe” Text=”Remember. ptg 12 14 CHAPTER 27 Using ASP. NET Membership You can add a machineKey element with explicit keys to either the machine root web configuration file or to particular application web. string parameter. The page in Listing 27.7 adds the necessary query string parameter to a hyperlink. LISTING 27.7 QueryStringAuthenticate.aspx <%@ Page Language=”C#” %> <!DOCTYPE html PUBLIC