|
Step 1. Create a Web Application with a Logon Page
This procedure creates a simple C# Web application that contains a logon page that
allows a user to enter a username and password.
To create a Web application with a logon page
-
Start Visual Studio .NET and create a new C# ASP.NET Web application called FormsAuthSQL.
-
Use Solution Explorer to rename WebForm1.aspx to Logon.aspx
-
Add the controls listed in Table 1 to Logon.aspx to create a simple logon form.
Table 1: Logon.aspx controls
|
Control Type
|
Text
|
ID
|
|
Label
|
User Name:
|
-
|
|
Label
|
Password
|
-
|
|
Text Box
|
-
|
txtUserName
|
|
Text Box
|
-
|
txtPassword
|
|
Button
|
Register
|
btnRegister
|
|
Button
|
Logon
|
btnLogon
|
|
Label
|
-
|
lblMessage
|
Your Web page should resemble the one illustrated in Figure 1.
Figure 1. Logon page Web form
-
Set the TextMode property of the txtPassword to Password.
Step 2. Configure the Web Application for Forms Authentication
This procedure edits the application's Web.config file to configure the application
for Forms authentication.
To configure the Web application for Forms authentication
-
Use Solution Explorer to open Web.config.
-
Locate the <authentication> element and change the mode attribute
to Forms.
-
Add the following <forms> element as a child of the <authentication>
element and set the loginUrl, name, timeout, and path
attributes as follows.
4.
<authentication mode="Forms">
5.
<forms loginUrl="logon.aspx" name="sqlAuthCookie"
timeout="60"
6.
path="/">
7.
</forms>
8.
</authentication>
-
Add the following <authorization> element beneath the <authentication>
element. This will allow only authenticated users to access the application. The
previously established loginUrl attribute of the <authentication>
element will redirect unauthenticated requests to the logon.aspx page.
10.<authorization>
11.
<deny users="?" />
12.
<allow users="*" />
13.</authorization>
Step 3. Develop Functions to Generate a Hash and Salt value
This procedure adds two utility methods to your Web application; one to generate
a random salt value, and one to create a hash based on a supplied password and salt
value.
To develop functions to generate a hash and salt value
-
Open Logon.aspx.cs and add the following using statements to the top of the
file beneath the existing using statements.
2.
using System.Security.Cryptography;
3.
using System.Web.Security;
-
Add the following static method to the WebForm1 class to generate a random
salt value and return it as a Base 64 encoded string.
5.
private static string CreateSalt(int size)
6.
{
7.
// Generate a cryptographic random
number using the cryptographic
8.
// service provider
9.
RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
10.
byte[] buff = new byte[size];
11.
rng.GetBytes(buff);
12.
// Return a Base64 string representation of the random number
13.
return Convert.ToBase64String(buff);
14.}
-
Add the following static method to generate a hash value based on a supplied password
and salt value.
16.private static string CreatePasswordHash(string
pwd, string salt)
17.{
18.
string saltAndPwd = String.Concat(pwd, salt);
19.
string hashedPwd =
20.
FormsAuthentication.HashPasswordForStoringInConfigFile(
21.
saltAndPwd,
"SHA1");
22.
hashedPwd = String.Concat(hashedPwd, salt);
23.
return hashedPwd;
24.}
Step 4. Create a User Account Database
This procedure creates a new user account database in SQL Server that contains a
single users table and a stored procedure used to query the user database.
To create a user account database
-
On the Microsoft SQL Server programs menu, click Query Analyzer, and
then connect to your local SQL Server.
-
Enter the following SQL script. Note that you must replace "LocalMachine" with your
own computer name towards the end of the script.
3.
USE master
4.
GO
5.
-- create a database for the security information
6.
IF EXISTS (SELECT * FROM master..sysdatabases
WHERE name =
7.
'UserAccounts')
8.
DROP DATABASE UserAccounts
9.
GO
10.CREATE DATABASE UserAccounts
11.GO
12.USE UserAccounts
13.GO
14.CREATE TABLE [Users] (
15.
[UserName] [varchar] (20) NOT NULL ,
16.
[PasswordHash] [varchar] (40) NOT NULL ,
17.
CONSTRAINT [PK_Users] PRIMARY KEY CLUSTERED
18.
(
19.
[UserName]
20.
) ON [PRIMARY]
21.) ON [PRIMARY]
22.GO
23.-- create stored procedure to register
user details
24.CREATE PROCEDURE RegisterUser
25.@userName varchar(20),
26.@passwordHash varchar(40)
27.AS
28.INSERT INTO Users VALUES(@userName,
@passwordHash)
29.GO
30.-- create stored procedure to retrieve
user details
31.CREATE PROCEDURE LookupUser
32.@userName varchar(20)
33.AS
34.SELECT PasswordHash
35.FROM Users
36.WHERE UserName = @userName
37.GO
38.-- Add a login for the local ASPNET
account
39.-- In the following statements, replace
LocalMachine with your
40.-- local machine name
41.exec sp_grantlogin [LocalMachine\ASPNET]
42.-- Add a database login for the UserAccounts
database for the ASPNET
43.
account
44.exec sp_grantdbaccess [LocalMachine\ASPNET]
45.-- Grant execute permissions to the
LookupUser and RegisterUser
46.-- stored procs
47.grant execute on LookupUser to [LocalMachine\ASPNET]
48.grant execute on RegisterUser to [LocalMachine\ASPNET]
-
Run the query to create the UserAccounts database.
-
Exit Query Manager.
|