Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Tutorial asp.net

Vivek K. Singh
Vivek K. Singh

This document provides a tutorial with 15 exercises to teach how to create a basic ASP.Net web application with user authentication and authorization. The exercises guide the user to create web forms, configure authentication using web.config files, add a login page that authenticates against a SQL database, and customize the user experience including remembering user logins.

Related slideshows

ASP.NET Tutorial - Presentation 1
ASP.NET Tutorial - Presentation 1ASP.NET Tutorial - Presentation 1
ASP.NET Tutorial - Presentation 1
 
Introduction to asp
Introduction to aspIntroduction to asp
Introduction to asp
 
Advanced Asp.Net Concepts And Constructs
Advanced Asp.Net Concepts And ConstructsAdvanced Asp.Net Concepts And Constructs
Advanced Asp.Net Concepts And Constructs
 
1 of 8
Tutorial: ASP.Net for Master of Computer Application Students Prepared by Vivek Kumar Singh Exercise 1: Create PublicPage.aspx Use Notepad or the text editor of your choice to create a text file named PublicPage.aspx in your PC’s Inetpubwwwroot directory. Then add the following text to create a simple Web form: <html> <body> <h1>Public Page</h1> <hr> <form runat="server"> <asp:Button Text="View Secret Message" OnClick="OnViewSecret" RunAt="server" /> </form> </body> </html> <script language="C#" runat="server"> void OnViewSecret (Object sender, EventArgs e) { Response.Redirect ("Secret/ProtectedPage.aspx"); } </script> Exercise 2: Create ProtectedPage.aspx Create a new directory named Secret in Inetpubwwwroot. In it, create a text file named ProtectedPage.aspx and enter the following code: <html> <body> <h1>Protected Page</h1> <hr> <br> Be careful investing your money in dot-coms. </body> </html> Exercise 3: Test Test what you’ve done so far by opening PublicPage.aspx in your browser and clicking the “View Secret Message” button. In response, ProtectedPage.aspx should be loaded and should display a secret message for you. Exercise 4: Create Web.config Create a text file named Web.config in Inetpubwwwroot and enter the following statements: <configuration> <system.web> <authentication mode="Forms">
<forms loginUrl="LoginPage.aspx"> <credentials passwordFormat="Clear"> <user name="Jeff" password="hawkeye" /> <user name="John" password="redrover" /> </credentials> </forms> </authentication> <authorization> <allow users="?" /> </authorization> </system.web> </configuration> The <authentication> section of this configuration file enables forms authentication, designates LoginPage.aspx as the page that users must go through to get to protected resources, and defines two sets of login credentials. The <authorization> section grants anonymous users access to all parts of this site that don’t specify otherwise. Exercise 5: Create LoginPage.aspx Create a text file named LoginPage.aspx in Inetpubwwwroot and enter the following statements: <html> <body> <h1>Please Log In</h1> <hr> <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Submit" OnClick="OnSubmit" RunAt="server" /> </td> <td> </td> </tr> </table> </form> <hr> <h3><asp:Label ID="Output" RunAt="server" /></h3> </body> </html> <script language="C#" runat="server"> void OnSubmit (Object sender, EventArgs e)
{ if (FormsAuthentication.Authenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; } </script> This page displays a simple login form that accepts a user name and password. Clicking the Submit button activates OnSubmit, which uses the Authenticate method of the FormsAuthentication class (a member of the .NET Framework Class Library’s System.Web.Security namespace) to authenticate the supplied user name and password against the credentials defined in the <credentials> section of Web.config. If the login is approved, FormsAuthentication.RedirectFromLoginPage is called to send the user to the page protected by the login page. Exercise 6: Test Verify that the application still works as it did before by opening PublicPage.aspx again and clicking the “View Secret Message” button. Because you’ve yet to restrict access to ProtectedPage.aspx, the secret message should appear in the browser window. Exercise 7: Create another Web.config file Create another text file named Web.config, this time in the Secret directory (Inetpubwwwrootsecret). Add the following statements to deny anonymous users access to files in this directory: <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration> Exercise 8: Test Repeat the test you performed in Exercise 6 and verify that clicking the “View Secret Message” button causes your login page to appear (see below). Type “Jeff” into the User Name box and “imbatman” into the Password box. Then click Submit. Does the secret message appear? Why or why not? Finish up by entering the user name “Jeff” and the password “hawkeye.” Do you see ProtectedPage.aspx this time?
Exercise 9: Modify the top-level Web.config file Close Internet Explorer and reopen it (important!). Then delete the <credentials> section from the top-level Web.config file—the one in Inetpubwwwroot. Test the application again by clicking the “View Secret Message” button. Can you get past the login page? Exercise 10: Create an authentication database While it’s perfectly possible to secure ASP.NET applications using credentials stored in Web.config, doing so isn’t very realistic unless you plan to authorize access to only a small number of users. In the real world, it makes sense to store authentication data in a database, and to write the login page so that it authenticates against the database rather than against Web.config. To that end, open a command prompt window, go to the folder where Weblogin.sql is stored, and type osql –U sa –P –i weblogin.sql This command executes the script found in Weblogin.sql, which creates a new SQL Server database named WebLogin. Inside the database is a table named Credentials that contains the following records: UserName Password Jeff hawkeye John redrover
Before proceeding, use the SQL Server Query Analyzer (or the tool of your choice) to verify that the database was properly created and initialized. Note: Weblogin.sql assumes that SQL Server is installed on drive C: on your PC. If you installed SQL Server on a different drive, open Weblogin.sql and edit the statement FILENAME = 'C:program files...weblogin.mdf' to include the correct drive letter. Exercise 11: Add a CustomAuthenticate method and modify OnSubmit Add the following statements to the top of LoginPage.aspx: <%@ Import NameSpace="System.Data" %> <%@ Import NameSpace="System.Data.SqlClient" %> Then add the following method to the <script> block: bool CustomAuthenticate (string username, string password) { SqlDataAdapter adapter = new SqlDataAdapter ("select password from credentials " + "where username = '" + username + "'", "server=localhost;uid=sa;pwd=;database=weblogin"); DataSet ds = new DataSet (); adapter.Fill (ds); DataTable table = ds.Tables[0]; foreach (DataRow row in table.Rows) { string pw = row[0].ToString ().TrimEnd (new char[] { ' ' }); if (String.Compare (password, pw, false) == 0) return true; } return false; } Finally, modify the OnSubmit method so that it calls CustomAuthenticate instead of FormsAuthentication.Authenticate: void OnSubmit (Object sender, EventArgs e) { if (CustomAuthenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; } CustomAuthenticate uses ADO.NET to perform a database query and validate the user name and password provided to it. Exercise 12: Test Restart your browser again. Then test the application again by clicking the “View Secret
Message” button and entering one of the sets of credentials included in the WebLogin database. Verify that you can once more get to ProtectedPage.aspx. Exercise 13: Try This Go back to PublicPage.aspx in your browser and click “View Secret Message” again. Verify that you go straight to ProtectedPage.aspx without having to enter a user name and password again. Now close your browser and restart it. Open PublicPage.aspx and click the “View Secret Message” button. Because the authentication cookie issued to you when you logged in was a temporary one, you’ll have to log in again to get to the protected page. Exercise 14: Make the authentication cookie persistent When you pass FormsAuthentication.RedirectFromLoginPage a second parameter that equals false, like this: FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); RedirectFromLoginPage issues a temporary cookie, or session cookie, that expires when the browser is closed. If you pass true instead, RedirectFromLoginPage issues a persistent cookie that’s good for 50 years. Demonstrate by doing the following: 1. Change RedirectFromLoginPage’s second parameter to true. 2. Restart your browser and open PublicPage.aspx. 3. Click the “View Secret Message” button and log in. 4. Verify that the secret message is displayed. 5. Close your browser. 6. Restart the browser, open PublicPage.aspx, and click “View Secret Message.” Because the cookie is now being cached on your hard disk, you shouldn’t have to log in again in step 6. Finish up by doing the following: 1. Use Internet Explorer’s Tools/Internet Options/General/Delete Cookies command to delete all the cookies on your PC. 2. Open PublicPage.aspx and click “View Secret Message.” This time, you will have to log in because when you deleted the cookies on your PC, you deleted the authentication cookie, too. Exercise 15: Let the user decide Add a “Remember me” check box to LoginPage.aspx that lets the user decide whether to make the authentication cookie persistent (if the box is checked) or temporary (if the box isn’t checked), as shown below.
To add the check box, modify the form as follows: <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Submit" OnClick="OnSubmit"RunAt="server" /> </td> <td> <asp:CheckBox Text="Remember me" ID="RememberMe" RunAt="server" /> </td> </tr> </table> </form>
And, so that the check box will be honored, change the second parameter passed to RedirectFromLoginPage to RememberMe.Checked: FormsAuthentication.RedirectFromLoginPage (UserName.Text, RememberMe.Checked); Checked is a CheckBox property that indicates whether the box is checked (true) or unchecked (false). Exercise 16: Test Test the changes you made in Exercise 15 by verifying that: 1. If the “Remember me” button isn’t checked and you restart your browser, you have to log in again to view ProtectedPage.aspx. 2. If the “Remember me” button is checked and you restart your browser, you don’t have to log in again to view ProtectedPage.aspx. Exercise 17: Personalize the secret message Modify ProtectedPage.aspx so that it prefaces the secret message with the user’s login name. Here’s the modified file, with changes highlighted in bold: <%@ Page Language="C#" %> <html> <body> <h1>Protected Page</h1> <hr><br> <% Response.Write (Context.User.Identity.Name + ": "); %> Be careful investing your money in dot-coms. </body> </html> Exercise 18: Change the cookie’s expiration date Modify OnSubmit so that if “Remember me” is checked, the authentication cookie that’s issued has a lifetime of 7 days instead of 50 years. The key is to replace the call to RedirectFromLoginPage with the following statements: HttpCookie cookie = FormsAuthentication.GetAuthCookie (UserName.Text, RememberMe.Checked); cookie.Expires = DateTime.Now + new TimeSpan (7, 0, 0, 0); Response.Cookies.Add (cookie); Response.Redirect (FormsAuthentication.GetRedirectUrl (UserName.Text, RememberMe.Checked)); The first statement creates an authentication cookie; the second sets the cookie’s expiration date to one week from the current date; the third adds the cookie to the Response object’s Cookies collection, ensuring that the authentication cookie will be returned in the response; and the fourth and final statement redirects to the page that the user requested before the login form popped up.

More Related Content

Tutorial asp.net

  • 1. Tutorial: ASP.Net for Master of Computer Application Students Prepared by Vivek Kumar Singh Exercise 1: Create PublicPage.aspx Use Notepad or the text editor of your choice to create a text file named PublicPage.aspx in your PC’s Inetpubwwwroot directory. Then add the following text to create a simple Web form: <html> <body> <h1>Public Page</h1> <hr> <form runat="server"> <asp:Button Text="View Secret Message" OnClick="OnViewSecret" RunAt="server" /> </form> </body> </html> <script language="C#" runat="server"> void OnViewSecret (Object sender, EventArgs e) { Response.Redirect ("Secret/ProtectedPage.aspx"); } </script> Exercise 2: Create ProtectedPage.aspx Create a new directory named Secret in Inetpubwwwroot. In it, create a text file named ProtectedPage.aspx and enter the following code: <html> <body> <h1>Protected Page</h1> <hr> <br> Be careful investing your money in dot-coms. </body> </html> Exercise 3: Test Test what you’ve done so far by opening PublicPage.aspx in your browser and clicking the “View Secret Message” button. In response, ProtectedPage.aspx should be loaded and should display a secret message for you. Exercise 4: Create Web.config Create a text file named Web.config in Inetpubwwwroot and enter the following statements: <configuration> <system.web> <authentication mode="Forms">
  • 2. <forms loginUrl="LoginPage.aspx"> <credentials passwordFormat="Clear"> <user name="Jeff" password="hawkeye" /> <user name="John" password="redrover" /> </credentials> </forms> </authentication> <authorization> <allow users="?" /> </authorization> </system.web> </configuration> The <authentication> section of this configuration file enables forms authentication, designates LoginPage.aspx as the page that users must go through to get to protected resources, and defines two sets of login credentials. The <authorization> section grants anonymous users access to all parts of this site that don’t specify otherwise. Exercise 5: Create LoginPage.aspx Create a text file named LoginPage.aspx in Inetpubwwwroot and enter the following statements: <html> <body> <h1>Please Log In</h1> <hr> <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Submit" OnClick="OnSubmit" RunAt="server" /> </td> <td> </td> </tr> </table> </form> <hr> <h3><asp:Label ID="Output" RunAt="server" /></h3> </body> </html> <script language="C#" runat="server"> void OnSubmit (Object sender, EventArgs e)
  • 3. { if (FormsAuthentication.Authenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; } </script> This page displays a simple login form that accepts a user name and password. Clicking the Submit button activates OnSubmit, which uses the Authenticate method of the FormsAuthentication class (a member of the .NET Framework Class Library’s System.Web.Security namespace) to authenticate the supplied user name and password against the credentials defined in the <credentials> section of Web.config. If the login is approved, FormsAuthentication.RedirectFromLoginPage is called to send the user to the page protected by the login page. Exercise 6: Test Verify that the application still works as it did before by opening PublicPage.aspx again and clicking the “View Secret Message” button. Because you’ve yet to restrict access to ProtectedPage.aspx, the secret message should appear in the browser window. Exercise 7: Create another Web.config file Create another text file named Web.config, this time in the Secret directory (Inetpubwwwrootsecret). Add the following statements to deny anonymous users access to files in this directory: <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration> Exercise 8: Test Repeat the test you performed in Exercise 6 and verify that clicking the “View Secret Message” button causes your login page to appear (see below). Type “Jeff” into the User Name box and “imbatman” into the Password box. Then click Submit. Does the secret message appear? Why or why not? Finish up by entering the user name “Jeff” and the password “hawkeye.” Do you see ProtectedPage.aspx this time?
  • 4. Exercise 9: Modify the top-level Web.config file Close Internet Explorer and reopen it (important!). Then delete the <credentials> section from the top-level Web.config file—the one in Inetpubwwwroot. Test the application again by clicking the “View Secret Message” button. Can you get past the login page? Exercise 10: Create an authentication database While it’s perfectly possible to secure ASP.NET applications using credentials stored in Web.config, doing so isn’t very realistic unless you plan to authorize access to only a small number of users. In the real world, it makes sense to store authentication data in a database, and to write the login page so that it authenticates against the database rather than against Web.config. To that end, open a command prompt window, go to the folder where Weblogin.sql is stored, and type osql –U sa –P –i weblogin.sql This command executes the script found in Weblogin.sql, which creates a new SQL Server database named WebLogin. Inside the database is a table named Credentials that contains the following records: UserName Password Jeff hawkeye John redrover
  • 5. Before proceeding, use the SQL Server Query Analyzer (or the tool of your choice) to verify that the database was properly created and initialized. Note: Weblogin.sql assumes that SQL Server is installed on drive C: on your PC. If you installed SQL Server on a different drive, open Weblogin.sql and edit the statement FILENAME = 'C:program files...weblogin.mdf' to include the correct drive letter. Exercise 11: Add a CustomAuthenticate method and modify OnSubmit Add the following statements to the top of LoginPage.aspx: <%@ Import NameSpace="System.Data" %> <%@ Import NameSpace="System.Data.SqlClient" %> Then add the following method to the <script> block: bool CustomAuthenticate (string username, string password) { SqlDataAdapter adapter = new SqlDataAdapter ("select password from credentials " + "where username = '" + username + "'", "server=localhost;uid=sa;pwd=;database=weblogin"); DataSet ds = new DataSet (); adapter.Fill (ds); DataTable table = ds.Tables[0]; foreach (DataRow row in table.Rows) { string pw = row[0].ToString ().TrimEnd (new char[] { ' ' }); if (String.Compare (password, pw, false) == 0) return true; } return false; } Finally, modify the OnSubmit method so that it calls CustomAuthenticate instead of FormsAuthentication.Authenticate: void OnSubmit (Object sender, EventArgs e) { if (CustomAuthenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; } CustomAuthenticate uses ADO.NET to perform a database query and validate the user name and password provided to it. Exercise 12: Test Restart your browser again. Then test the application again by clicking the “View Secret
  • 6. Message” button and entering one of the sets of credentials included in the WebLogin database. Verify that you can once more get to ProtectedPage.aspx. Exercise 13: Try This Go back to PublicPage.aspx in your browser and click “View Secret Message” again. Verify that you go straight to ProtectedPage.aspx without having to enter a user name and password again. Now close your browser and restart it. Open PublicPage.aspx and click the “View Secret Message” button. Because the authentication cookie issued to you when you logged in was a temporary one, you’ll have to log in again to get to the protected page. Exercise 14: Make the authentication cookie persistent When you pass FormsAuthentication.RedirectFromLoginPage a second parameter that equals false, like this: FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); RedirectFromLoginPage issues a temporary cookie, or session cookie, that expires when the browser is closed. If you pass true instead, RedirectFromLoginPage issues a persistent cookie that’s good for 50 years. Demonstrate by doing the following: 1. Change RedirectFromLoginPage’s second parameter to true. 2. Restart your browser and open PublicPage.aspx. 3. Click the “View Secret Message” button and log in. 4. Verify that the secret message is displayed. 5. Close your browser. 6. Restart the browser, open PublicPage.aspx, and click “View Secret Message.” Because the cookie is now being cached on your hard disk, you shouldn’t have to log in again in step 6. Finish up by doing the following: 1. Use Internet Explorer’s Tools/Internet Options/General/Delete Cookies command to delete all the cookies on your PC. 2. Open PublicPage.aspx and click “View Secret Message.” This time, you will have to log in because when you deleted the cookies on your PC, you deleted the authentication cookie, too. Exercise 15: Let the user decide Add a “Remember me” check box to LoginPage.aspx that lets the user decide whether to make the authentication cookie persistent (if the box is checked) or temporary (if the box isn’t checked), as shown below.
  • 7. To add the check box, modify the form as follows: <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Submit" OnClick="OnSubmit"RunAt="server" /> </td> <td> <asp:CheckBox Text="Remember me" ID="RememberMe" RunAt="server" /> </td> </tr> </table> </form>
  • 8. And, so that the check box will be honored, change the second parameter passed to RedirectFromLoginPage to RememberMe.Checked: FormsAuthentication.RedirectFromLoginPage (UserName.Text, RememberMe.Checked); Checked is a CheckBox property that indicates whether the box is checked (true) or unchecked (false). Exercise 16: Test Test the changes you made in Exercise 15 by verifying that: 1. If the “Remember me” button isn’t checked and you restart your browser, you have to log in again to view ProtectedPage.aspx. 2. If the “Remember me” button is checked and you restart your browser, you don’t have to log in again to view ProtectedPage.aspx. Exercise 17: Personalize the secret message Modify ProtectedPage.aspx so that it prefaces the secret message with the user’s login name. Here’s the modified file, with changes highlighted in bold: <%@ Page Language="C#" %> <html> <body> <h1>Protected Page</h1> <hr><br> <% Response.Write (Context.User.Identity.Name + ": "); %> Be careful investing your money in dot-coms. </body> </html> Exercise 18: Change the cookie’s expiration date Modify OnSubmit so that if “Remember me” is checked, the authentication cookie that’s issued has a lifetime of 7 days instead of 50 years. The key is to replace the call to RedirectFromLoginPage with the following statements: HttpCookie cookie = FormsAuthentication.GetAuthCookie (UserName.Text, RememberMe.Checked); cookie.Expires = DateTime.Now + new TimeSpan (7, 0, 0, 0); Response.Cookies.Add (cookie); Response.Redirect (FormsAuthentication.GetRedirectUrl (UserName.Text, RememberMe.Checked)); The first statement creates an authentication cookie; the second sets the cookie’s expiration date to one week from the current date; the third adds the cookie to the Response object’s Cookies collection, ensuring that the authentication cookie will be returned in the response; and the fourth and final statement redirects to the page that the user requested before the login form popped up.