membership by sandyk2012

VIEWS: 0 PAGES: 4

									                                           Membership

You use the SQLMembershipProvider with forms authentication if your user information is stored in
SQL Server. In most cases, this occurs when you have an intranet and user information is application-
specific or when the application is Internet facing and the users do not have Active Directory
accounts.

When you install ASP.NET, the Machine.config file for your server includes configuration elements
that specify SQL Server membership providers. By default, the SQL provider is configured to connect
to the local instance of SQL Server.

Summary of Steps

Complete the following steps to configure and use the SqlMembershipProvider with an ASP.NET
application that uses forms authentication.

       Step 1. Configure forms authentication.
       Step 2. Install the membership database.
       Step 3. Configure the SqlMembershipProvider.
       Step 4. Create users.
       Step 5. Authenticate users.

Step 1. Configure Forms Authentication

Set the <authentication> element's mode attribute to "Forms" and then configure it in your
application's Web.config file, as shown in the following example

<authentication mode="Forms">
 <forms loginUrl="Login.aspx"
     protection="All"
     timeout="30"
     name="AppNameCookie"
     path="/FormsAuth"
     requireSSL="false"
     slidingExpiration="true"
     defaultUrl="default.aspx"
     cookieless="UseCookies"
     enableCrossAppRedirects="false" />
</authentication>


 Where:

       loginUrl points to the login page. You should place this in a folder that requires Secure
        Sockets Layer (SSL) for access.
       protection is set to "All" to specify privacy and integrity for the forms authentication ticket.
       timeout is used to specify a limited session lifetime.
       name and path are set to unique values for the current application.
       requireSSL is set to "false". This configuration means that authentication cookie can be
        transmitted over channels that are not SSL-protected. If you are concerned with session
         hijacking, you should consider setting this to "true". For more information, see Additional
         Considerations in this document.
        slidingExpiration is set to "true" to enforce a sliding session lifetime. This means that the
         timeout is reset after each request to your application.
        defaultUrl is set to the Default.aspx page for the application.
        cookieless is set to "UseCookies" to specify that the application uses cookies to send the
         authentication ticket to the client.
        enableCrossAppRedirects is set to "false", to indicate that the application cannot redirect
         the request outside the application scope.

Add the following <authorization> element after the <authentication> element. This permits only
authenticated users to access the application. The previously established loginUrl attribute of the
<authentication> element redirects unauthenticated requests to the Login.aspx page.

<authorization>
 <deny users="?" />
 <allow users="*" />
</authorization>


Step 2. Install the Membership Database

Before you can use the SqlMembershipProvider, you must install the SQL Server membership
database.

To install the membership database, log on to your server with an account that has authority to
administrate SQL Server (such as the Administrator account). Open the Visual Studio 2005 command
prompt, and run the following command:

aspnet_regsql.exe -E -S localhost -A m

Where:

        -E indicates authenticate using the Windows credentials of the currently logged on user.
        -S (server) indicates the name of the server where the database will be installed or is already
         installed.
        -A m indicates add membership support. This creates the tables and stored procedures
         required by the membership provider.

Note The Aspnet_regsql tool is also used to install database elements for other ASP.NET 2.0
features, such as Role Management, Profile, Web Parts Personalization, and Web Events. Other
command-line arguments perform database operations for these other features. You can use
Aspnet_regsql without any command line arguments by using a wizard that allows you to specify
connection information for your SQL Server and install or remove the database elements for all of
the supported features.

Step 3. Configure the SqlMembershipProvider

The Machine.config file contains a default SqlMembershipProvider instance named
AspNetSqlMembershipProvider that connects to the SQL Server Express instance on the local
computer. You can use this instance of the provider if you are running SQL Server locally.
Alternatively, you can specify provider details in your application's Web.config file, as shown here in
the following example.

<connectionStrings>
  <add name="MySqlConnection" connectionString="Data Source=MySqlServer;Initial
Catalog=aspnetdb;Integrated Security=SSPI;" />
</connectionStrings>
<system.web>
...
  <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
    <providers>
     <clear />
     <add
      name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="MySqlConnection"
      applicationName="MyApplication"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="true"
      requiresUniqueEmail="true"
      passwordFormat="Hashed" />
    </providers>
  </membership>

Important Ensure that the ASP.NET process identity (or, if using impersonation, the impersonated
identity) have appropriate permissions on the SQL Server database.
Encrypt the connection strings element using Protected Configuration because this element contains
the database connection details. For more information on encrypting the configuration section, see
"How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI" at
http://msdn.microsoft.com/en-us/library/ms998280.aspx and "How To: Encrypt Configuration
Sections in ASP.NET 2.0 Using RSA" at http://msdn.microsoft.com/en-us/library/ms998283.aspx.

Make sure to set the defaultProvider attribute value to point to your provider definition. The default
value points to AspNetSqlProvider, which uses the local SqlExpress instance.

For more information, see the section, "SqlProviderMembershipProvider Configuration Attributes,"
in this document.

Step 4. Create Users

You can create new users in the following ways:

       Use the Web Site Administration Tool, which provides a wizard-like interface for creating
        new users. To start this tool, click ASP.NET Configuration on the Website menu in Visual
        Studio 2005.
       Create an ASP.NET page that contains a CreateUserWizard control. This control uses the
        configured membership provider to encapsulate the logic of creating a new user.
       Create an ASP.NET Web page that contains the TextBox controls used to collect the user
        name and password (and, optionally, the user's e-mail address), and then use the
        Membership.CreateUser API to create a new user in the membership system.
The following code shows how to call Membership CreateUser.

Membership.CreateUser("Username", "P@ssw0rd", "userName@emailAddress");


Step 5. Authenticate Users

To authenticate users, you must provide a login form. This could be a separate page or a special area
on your application's home page.

You can create the login form in the following ways:

       Use the ASP.NET 2.0 login controls. The ASP.NET login controls encapsulate nearly all of the
        logic required to obtain credentials from users and to validate them against a user store.
        They use the configured membership provider. You do not need to write any additional
        code.

        After the user is validated, the login controls automatically save information about the user;
        for example, by using an encrypted cookie if the user's browser accepts cookies.

       Create a custom login form by using ASP.NET TextBox controls. If you create a custom login
        form with simple TextBox controls, you can prompt the user for a user name and password,
        and then call the ValidateUser method of the Membership class to perform the validation.

								
To top