Authenticate user and using the ChangePassword Control - asp.net

I have a webpage that a user logs into to. Now I want to provide the ability for a user to change their password using the ChangePasswork Control. The control does work as described here ChangePasswork Control for non-authenticated users. But I want to the behavior for authenticated users.
I'm fairly new to asp so this could be a simple question but exactly how do you "authenticate" a user?

According to the docs, the control works for both authenticated and non-authenticated users.
Changing a users password programmatically is very straight forward.
Take a look at the MembershipProvider and MembershipUser classes.
You can validate a user using: MembershipProvider.ValidateUser
To authenticate them use: FormsAuthentication.SetAuthCookie
MembershipUser has a method: ChangePassword.
If you are new to all this, read introduction to membership

Related

Custom Login Screen - Integrated Windows Auth with fall back

I want to create a custom login screen that will attempt to authenticate a user via integrated Windows Authentication (using SPNEGO or whatever) and if that attempt fails, fall back to a forms based approach.
The process would ideally work like this...
User Logged in as Valid AD User
User attempts to access application and is redirected to IdentityServer.
Custom logic attempts to validate user using AD credentials and succeeds.
User is authenticated and redirected...
User Not Logged in as Valid AD User
User attempts to access application and is redirected to IdentityServer.
Custom logic attempts to validate user using AD credentials and fails.
User is presented with a form to enter username and password.
User is authenticated and redirected...
I was hoping to create a custom IUserService implementation to achieve this, but from reading the documentation it's not obvious how this would be done.
Am I going to have to create a custom identity provider to achieve this?
Any guidance would be greatly appreciated.
I think, it's not so much the custom IUserService you have to worry about. The IUserService looks up a user once IdSrv3 has collected credentials from the user. So your integration needs to occur earlier.
What's tricky is falling back. If you have a page that is protected by windows auth, it's the client that decides if it can authenticate or not. if it can't authenticate the user it will usually prompt the user for credentials & try to submit these. It won't automagiclly know what to do.
The approach with probably the best user experience is to show a page & allow the user to choose how to login, much like you can choose to login with Google, etc. You can then hook this up as an external provider.

Login control with custom database

I have a problem!
I have a database.have two field username and password.
I use Login Control in VS.
And now i want use login control connect to my database.
how i can do it!
You have to setup a custom membership provider and configure it in the web.config file. Read this: http://www.asp.net/web-forms/videos/how-do-i/how-do-i-create-a-custom-membership-provider
The login control uses the membership provider's ValidateUser method to check whether a user is valid.
OR: override LoggingIn event, override the default behavior to manually lookup the user by user ID and password. This approach does not need a membership provider.

What to call after validateUser() for forms authentication?

I made a custom membership provider and overrode the ValidateUser method, but now I am confused. I am not using any Login controls, I just have a site wide login (username and password box) on a masterpage.
Questions:
Do I need to call the ValidateUser() method myself? If so, what are
the next steps to take? Do I create the auth cookie which methods do I need to call to complete the login?
I need to return some custom user data if the user is authenticated. Is it better to
call GetUser and check for null or just call ValidateUser and then
grab a user object?
Where and how should I store the custom data for the user? Is it stored in the identity object? Should I store it in the MembershipUser Object?
Yes, you verify that the credentials are correct by doing a call such as
Membership.ValidateUser(TextBoxUsername.Text, TextBoxPassword.Text)
If the above call returns true then you need to set the authentication cookie like so:
FormsAuthentication.SetAuthCookie(TextBoxUsername.Text, CheckboxRememberMe.Checked);
There I used a "remember me" checkbox if you want to login automatically next time.
To get the user details you can call
Membership.FindUsersByName(TextBoxUsername.Text)
The most handy place you can store the user details is the session.
You didn't ask, but just as important would be a log out page. The functionality needed to undo the login steps are:
FormsAuthentication.SignOut();
Session.Abandon();
Response.Redirect("~/login.aspx", false);//or homepage, or any other page

ASP.NET WAP, register user with manual approval

I'm new to ASP.NET.
On a web site, I want users to be able to register, their input data to be saved in a database, but their login should not be functional until their data has been reviewed and potentially approved. The database would then be updated with a new entry with their login and details.
I think it makes sense to have the registration details and the user details as separate tables. As the user details will have many additional fields. So registration and login should connect to different tables.
Does this sound sensible? And would I in this case have any benefit from using the CreateUserWizard and Login controls? Will it allow me to specify the custom database and fields for handling registration data and user status?
If not, it would be nice if you could give some rough steps on how I should approach this "manually"..
You can do this using ASP.Net Membership object, once user is created make sure you override IsApproved property to 1, this will stop user from login in until you review it and set IsApproved property = 0.

Login modes other than forms authentication is ASP.NET

Am trying to design login page for my website and I am looking for methods other than forms authentication. The way in which I am trying is to have a table in the database that stores user information and check for the user validity.
The point where I get struck is how do i set cookies and session variables and how will I carry it through out the system. Can anyone tell/suggest me where I can relevant material so as to move forward. And also is my idea of negating traditional forms authentication and going for a model I described, is it good also does any other better method exist?
You can do this even with forms authentication itself...
For Forms Authentication to work, you need not have to use the Complete Database Setup that MS uses to Authenticate. You can simply have your own Database and Validate a user yourself, and just set the cookie.
String UserName = "CoolGuy";
String PassWord = "Pwd"
Boolean isValidUser = YourClass.YourMethod(UserName, PassWord);
if (isValidUser)
{ FormsAuthentication.setAuthCookie(UserName, false); }
This will authenticate the user "CoolGuy" for the session, provided YourMethod returns true. And you need to put this code only in Login Page... and the user will automatically be authenticated for the entire session or whatever...
Please see my response to another similar question here... ASP.NET access controls

Resources