I want to add login for registered users in my website. How shall I proceed with it? Is it through the use of sessions? What will happen to the Session variable once the logout happens??
Your question is extremely broad and there are many different ways that you can implement what is, in effect, a "membership" system for an ASP.NET website.
I would suggest that you start by reading the "Introduction to Membership" article from MSDN. This article will give you an overview of how ASP.NET membership works in the most "standard" way.
It also mentions using the various ASP.NET membership "controls" (Login, LoginView, LoginStatus & PasswordRecovery for example).
Using these controls along with the built-in ASP.NET membership providers (for example, ASP.NET provides a SQL membership provider to work against SQL Server as the data store for your user accounts and credentials) will allow you to implement a complete membership and authentication system with virtually no code at all (i.e. all the functionality is provided by the built-in "membership" controls and declarative mark-up).
Finally, a really good series of articles on this subject is:
Examining ASP.NET 2.0's Membership, Roles, and Profile
from the 4guysfromrolla site. It's starts at the very beginning of the membership topic and goes right the way through to touching on the implementation of a custom membership provider and administrative interface for managing user credentials to round out the whole subject.
I'd take a look a related questions, such as
Login Membership .NET
This topic is already covered quite a lot on SO.
Session state and log in are somewhat orthogonal. You have a session regardless of whether or not you are logged in.
You should use the provided Login control and Membership system.
About Session vars, nothing special will happen. ASP.NET forms authentication does not use SessionState by default.
I would recommend using forms authentication with perhaps a custom backend using IIdentity and IPrincipal. There’s lots of information available how to do this but I think this link forms a good starting point http://msdn.microsoft.com/en-us/library/aa480476.aspx
Related
For my new website, I am using a custom login.aspx (simply two text boxes username and password with a button). Actually I don't know about authentication modes in ASP.NET. Do I need to specify any mode in my web.config?
What are the security issues related to this?
Any links to articles related to this will be appreciated.
Have a look at ASP.NET Identity. This is the way to handle authentication/authorization in ASP.NET these days.
Start reading the introduction on the asp.net site and a lot of thing will become clear.
Just a login.aspx page will bring you nothing, since there's a lot more involved then just username/password checking. You need to store usernames/passwords, encrypt things, handle cookies (persistent or not), handle autorization, maybe some registration or roles etc etc.
All this things can be done with ASP.NET identity. If it's a new website, in VS2013, Individual User Accounts authentication is on by default when creating a new ASP.NET web project. There's a lot of boilerplate code in the project template to get you up and running...
http://asp.net/identity
Anyway thanks for your suggestion. I am using 'Scrypt' based hashing. Form authentication seems easy but its difficult for me to manage cookies, user tables etc. I use User table for many other purpose also.
This method gives me a good control over everything even if its difficult to get coded.
I have a demo site that requires a simple login security similar to basic authenication. When a url is entered, a login popups and prompts for username/password. Unfortunately, basic authentication is not available in Azure. Something that requires very little code and I can just store my username/password in the webconfig.
First, basic authentication is always customizable, it doesn't necessary mean that Windows accounts are used. You can pretty much plug your custom membership provider here, as I've blogged once:
http://www.wiktorzychla.com/2013/11/basic-authentication-module-with-custom.html
Second, using forms authentication with a custom membership provider is always a simple option. In your provider, passwords can be read from anywhere.
I need to secure my website without using the ASP.NET built in login controls or the Forms Authentication.
Its need to support "normal" users and admin users.
Any suggestion? Thanks
Well, it's impossible to build anything in ASP.NET without a tag = )
I can't tell exactly what you are asking, so I will try to go over the whole groundwork.
ASP.NET Provides Different Authentication Models
You can use ASP.NET's built in authentication with Membership and Roles
You can write your own ASP.NET membership model
You can use another ASP.NET authentication model, such as Shibboleth, Windows/IIS, and others, see JD's post.
You can skip all of these and use your own "authentication", perhaps it is stored as a simple Session variable
ASP.NET Provides Different Controls
There is a handly Login control that integrated with ASP.NET's built in membership making things very easy.
If you don't want to use that, you can simply use ASP TextBoxes, Buttons, etc, and basically create your own login form.
In adition to JD's and rlb.usa's posts you can also use opemid or windowslive id authentication perhaps. both of these have membership providers for asp.net. Checkout Codeplex for those; however if you want a truly customazieable solution perhaps its best for you as rlb.usa pointed out a simple session variable solution.
Perhaps you want to use Windows Authentication (rather than Forms Authentication) with ASP.NET? You should choose Windows authentication if your user accounts are maintained by a domain controller or within Active Directory and there are no firewall issues. I think this is what you are after. Here's a decent write up.
Umm, a quick response is for you to checkout Authentication features provided by IIS. These include Kerbros, NTLM, Basic Auth, just to name a few.
I have an ASP.Net MVC application and I'm using Forms authentication in SQL Server. This sets up the authentication and authorization for me. However, I have other person-based data that I need to track as well, such as the person's phone number, department, their charge-out rate, start date, etc.
WHAT the person can do (which is controlled by ASP.Net security) is related to WHO they are (which is controlled by my application).
Is there a best practice for linking ASP.Net with my application data to get a more complete person object? Can I simply extend the information in the ASP.Net tables? Is it better to keep it separate? Has anyone got any tips or links for guidance?
Since you are already using ASP.NET Forms Authentication the ASP.NET RoleProvider which can be integrated into MVC via the Authorize attribute is just as easy to setup.
And you get something like this:
[Authorize(IsInRole="Chef")]
public ActionResult Cook() { // snip ...
And if you did use all that, there's also the ProfileProvider for ASP.NET which generates profile code for you with full intellisense support. You can customize which fields you want and what data types it should be stored in etc. etc.
Both the Role Provider and Profile Provider can be customized or roll-your-own, there are many many articles on the internet that will tell you how.
Using the ASP.NET providers also gives you the benefits that the data is maintained automatically throughout the ASP.NET request processing pipeline, e.g. you can access this property:
HttpContext.Current.Profile
...from almost anywhere.
Use the built-in functionality for Profile Properties to store additional data about your users.
I am creating a website in ASP MVC. Can anyone give me some advice on using the built-in membership provider in the following way.
I want my users to create an Administrative account for themselves and then create accounts for the people in their organization, or the people that they want to give access to.
I guess in a Database it will look something like this:
Companies have Administrators. Administrators can give users access.
I am sure this pattern is used all over the place, I am just not sure how to implement it. Especially using the membership providers.
Thanks,
David
There is nothing special in implementing this. It can be easily accomplished by built-in features of ASP.NET 2.0:
Configure Web site to use membership (via web.config)
Enable role management (via web.config <roles enabled="true"> tag)
Add administrator accounts to Administrators role.
Control access to the administrative pages by using [Authorize(Roles="Administrators")] attribute in the controller action.
Require authentication on other non-admin actions ([Authorize])
When I did this, I used the Membership Provider for authentication however, the organization concept I created externally from the Provider. You could use the Profile Provider.
As for roles I would still use the Roles within the ASP.Net Membership Model.
You can create a role for those people and name it something like organizational-admin, though that's a bit long, you catch my drift :). And give those the power to create users with a regular user role. At least that's how i did it in one of my applications.
Ofcourse you'll keep the admin to yourself or to the person who is in charge of this particular site.
Gu's blog has a small example of how to implement the roles in an action filter.