Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Published in: Technology
  • Be the first to comment


  1. 1. Tutorial: ASP.Net for Master of Computer Application StudentsPrepared by Vivek Kumar SinghExercise 1: Create PublicPage.aspxUse Notepad or the text editor of your choice to create a text file named PublicPage.aspx inyour PC’s Inetpubwwwroot directory. Then add the following text to create a simple Webform: <html> <body> <h1>Public Page</h1> <hr> <form runat="server"> <asp:Button Text="View Secret Message" OnClick="OnViewSecret" RunAt="server" /> </form> </body> </html> <script language="C#" runat="server"> void OnViewSecret (Object sender, EventArgs e) { Response.Redirect ("Secret/ProtectedPage.aspx"); } </script>Exercise 2: Create ProtectedPage.aspxCreate a new directory named Secret in Inetpubwwwroot. In it, create a text file namedProtectedPage.aspx and enter the following code: <html> <body> <h1>Protected Page</h1> <hr> <br> Be careful investing your money in dot-coms. </body> </html>Exercise 3: TestTest what you’ve done so far by opening PublicPage.aspx in your browser and clicking the“View Secret Message” button. In response, ProtectedPage.aspx should be loaded and shoulddisplay a secret message for you.Exercise 4: Create Web.configCreate a text file named Web.config in Inetpubwwwroot and enter the following statements: <configuration> <system.web> <authentication mode="Forms">
  2. 2. <forms loginUrl="LoginPage.aspx"> <credentials passwordFormat="Clear"> <user name="Jeff" password="hawkeye" /> <user name="John" password="redrover" /> </credentials> </forms> </authentication> <authorization> <allow users="?" /> </authorization> </system.web> </configuration> The <authentication> section of this configuration file enables forms authentication, designates LoginPage.aspx as the page that users must go through to get to protected resources, and defines two sets of login credentials. The <authorization> section grants anonymous users access to all parts of this site that don’t specify otherwise. Exercise 5: Create LoginPage.aspx Create a text file named LoginPage.aspx in Inetpubwwwroot and enter the following statements:<html> <body> <h1>Please Log In</h1> <hr> <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Submit" OnClick="OnSubmit" RunAt="server" /> </td> <td> </td> </tr> </table> </form> <hr> <h3><asp:Label ID="Output" RunAt="server" /></h3> </body></html><script language="C#" runat="server"> void OnSubmit (Object sender, EventArgs e)
  3. 3. { if (FormsAuthentication.Authenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; }</script> This page displays a simple login form that accepts a user name and password. Clicking the Submit button activates OnSubmit, which uses the Authenticate method of the FormsAuthentication class (a member of the .NET Framework Class Library’s System.Web.Security namespace) to authenticate the supplied user name and password against the credentials defined in the <credentials> section of Web.config. If the login is approved, FormsAuthentication.RedirectFromLoginPage is called to send the user to the page protected by the login page. Exercise 6: Test Verify that the application still works as it did before by opening PublicPage.aspx again and clicking the “View Secret Message” button. Because you’ve yet to restrict access to ProtectedPage.aspx, the secret message should appear in the browser window. Exercise 7: Create another Web.config file Create another text file named Web.config, this time in the Secret directory (Inetpubwwwrootsecret). Add the following statements to deny anonymous users access to files in this directory: <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration> Exercise 8: Test Repeat the test you performed in Exercise 6 and verify that clicking the “View Secret Message” button causes your login page to appear (see below). Type “Jeff” into the User Name box and “imbatman” into the Password box. Then click Submit. Does the secret message appear? Why or why not? Finish up by entering the user name “Jeff” and the password “hawkeye.” Do you see ProtectedPage.aspx this time?
  4. 4. Exercise 9: Modify the top-level Web.config fileClose Internet Explorer and reopen it (important!). Then delete the <credentials> section fromthe top-level Web.config file—the one in Inetpubwwwroot. Test the application again byclicking the “View Secret Message” button. Can you get past the login page?Exercise 10: Create an authentication databaseWhile it’s perfectly possible to secure ASP.NET applications using credentials stored inWeb.config, doing so isn’t very realistic unless you plan to authorize access to only a smallnumber of users. In the real world, it makes sense to store authentication data in a database,and to write the login page so that it authenticates against the database rather than againstWeb.config.To that end, open a command prompt window, go to the folder where Weblogin.sql is stored,and type osql –U sa –P –i weblogin.sqlThis command executes the script found in Weblogin.sql, which creates a new SQL Serverdatabase named WebLogin. Inside the database is a table named Credentials that contains thefollowing records:UserName PasswordJeff hawkeyeJohn redrover
  5. 5. Before proceeding, use the SQL Server Query Analyzer (or the tool of your choice) to verifythat the database was properly created and initialized.Note: Weblogin.sql assumes that SQL Server is installed on drive C: on your PC. If youinstalled SQL Server on a different drive, open Weblogin.sql and edit the statement FILENAME = C:program files...weblogin.mdfto include the correct drive letter.Exercise 11: Add a CustomAuthenticate method and modify OnSubmitAdd the following statements to the top of LoginPage.aspx: <%@ Import NameSpace="System.Data" %> <%@ Import NameSpace="System.Data.SqlClient" %>Then add the following method to the <script> block: bool CustomAuthenticate (string username, string password) { SqlDataAdapter adapter = new SqlDataAdapter ("select password from credentials " + "where username = " + username + "", "server=localhost;uid=sa;pwd=;database=weblogin"); DataSet ds = new DataSet (); adapter.Fill (ds); DataTable table = ds.Tables[0]; foreach (DataRow row in table.Rows) { string pw = row[0].ToString ().TrimEnd (new char[] { }); if (String.Compare (password, pw, false) == 0) return true; } return false; }Finally, modify the OnSubmit method so that it calls CustomAuthenticate instead ofFormsAuthentication.Authenticate: void OnSubmit (Object sender, EventArgs e) { if (CustomAuthenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; }CustomAuthenticate uses ADO.NET to perform a database query and validate the user nameand password provided to it.Exercise 12: TestRestart your browser again. Then test the application again by clicking the “View Secret
  6. 6. Message” button and entering one of the sets of credentials included in the WebLogindatabase. Verify that you can once more get to ProtectedPage.aspx.Exercise 13: Try ThisGo back to PublicPage.aspx in your browser and click “View Secret Message” again. Verify thatyou go straight to ProtectedPage.aspx without having to enter a user name and passwordagain.Now close your browser and restart it. Open PublicPage.aspx and click the “View SecretMessage” button. Because the authentication cookie issued to you when you logged in was atemporary one, you’ll have to log in again to get to the protected page.Exercise 14: Make the authentication cookie persistentWhen you pass FormsAuthentication.RedirectFromLoginPage a second parameter that equalsfalse, like this: FormsAuthentication.RedirectFromLoginPage (UserName.Text, false);RedirectFromLoginPage issues a temporary cookie, or session cookie, that expires when thebrowser is closed. If you pass true instead, RedirectFromLoginPage issues a persistent cookiethat’s good for 50 years. Demonstrate by doing the following: 1. Change RedirectFromLoginPage’s second parameter to true. 2. Restart your browser and open PublicPage.aspx. 3. Click the “View Secret Message” button and log in. 4. Verify that the secret message is displayed. 5. Close your browser. 6. Restart the browser, open PublicPage.aspx, and click “View Secret Message.”Because the cookie is now being cached on your hard disk, you shouldn’t have to log in againin step 6. Finish up by doing the following: 1. Use Internet Explorer’s Tools/Internet Options/General/Delete Cookies command to delete all the cookies on your PC. 2. Open PublicPage.aspx and click “View Secret Message.”This time, you will have to log in because when you deleted the cookies on your PC, youdeleted the authentication cookie, too.Exercise 15: Let the user decideAdd a “Remember me” check box to LoginPage.aspx that lets the user decide whether to makethe authentication cookie persistent (if the box is checked) or temporary (if the box isn’tchecked), as shown below.
  7. 7. To add the check box, modify the form as follows:<form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Submit" OnClick="OnSubmit"RunAt="server" /> </td> <td> <asp:CheckBox Text="Remember me" ID="RememberMe" RunAt="server" /> </td> </tr> </table></form>
  8. 8. And, so that the check box will be honored, change the second parameter passed toRedirectFromLoginPage to RememberMe.Checked: FormsAuthentication.RedirectFromLoginPage (UserName.Text, RememberMe.Checked);Checked is a CheckBox property that indicates whether the box is checked (true) or unchecked(false).Exercise 16: TestTest the changes you made in Exercise 15 by verifying that: 1. If the “Remember me” button isn’t checked and you restart your browser, you have to log in again to view ProtectedPage.aspx. 2. If the “Remember me” button is checked and you restart your browser, you don’t have to log in again to view ProtectedPage.aspx.Exercise 17: Personalize the secret messageModify ProtectedPage.aspx so that it prefaces the secret message with the user’s login name.Here’s the modified file, with changes highlighted in bold: <%@ Page Language="C#" %> <html> <body> <h1>Protected Page</h1> <hr><br> <% Response.Write (Context.User.Identity.Name + ": "); %> Be careful investing your money in dot-coms. </body> </html>Exercise 18: Change the cookie’s expiration dateModify OnSubmit so that if “Remember me” is checked, the authentication cookie that’s issuedhas a lifetime of 7 days instead of 50 years. The key is to replace the call toRedirectFromLoginPage with the following statements: HttpCookie cookie = FormsAuthentication.GetAuthCookie (UserName.Text, RememberMe.Checked); cookie.Expires = DateTime.Now + new TimeSpan (7, 0, 0, 0); Response.Cookies.Add (cookie); Response.Redirect (FormsAuthentication.GetRedirectUrl (UserName.Text, RememberMe.Checked));The first statement creates an authentication cookie; the second sets the cookie’s expirationdate to one week from the current date; the third adds the cookie to the Response object’sCookies collection, ensuring that the authentication cookie will be returned in the response;and the fourth and final statement redirects to the page that the user requested before thelogin form popped up.