In your
app_Code
folder, create a new class that inherits
MembershipProvider
. You'll need to import
System.Configuration.Provider
,
System.Security.Cryptography
,
System.Web.Configuration
and
System.Net.Mail
.
If you try and compile this new class, you'll see that you need to override lots of methods. For most, you can just add the method definition and throw a new NotImplementedException. In
ValidateUser
, add the code you need to validate a username and password combination; this will probably involve you fetching a row from a users table, with username, hashedpassword and salt columns. It's up to you how/where you get this data from. (Remember to parameterise any d/b query, to stop people entering a username of
';drop table users;--'
:-)
Next, in your login page, add a control of type
<aspx:Login>
and one of type
<aspx:PasswordRecovery>
. Set properties as you wish, probably something like
<asp:Login runat="server" ID="login1" DestinationPageUrl="~/index"
FailureText="Username or Password not recognised"
BorderPadding="10"
InstructionText="If you are not an authorised user of the system, please do not attempt to log in"
DisplayRememberMe="true"
RememberMeSet="true"
RememberMeText="Stay logged in on this computer" />
<asp:PasswordRecovery runat="server" ID="passwordRecovery" ClientIDMode="AutoID"
BorderPadding="10"
SubmitButtonText="Reset P/W"
SuccessText="A new password has been emailed to you"
Usernametitletext="Request password reset"
UserNameLabelText="User name:" />
Next, you need to tell ASP.Net to use your new code. In
Web.Config
, in the
<system.web>
section, add the following:
<membership defaultProvider="MyProvider" userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add name="MyProvider" description="My Membership provider" type="MyType" connectionStringName="MyConnection" applicationName="MyApplication" enablePasswordRetrieval="false" enablePasswordReset="false" requiresUniqueEmail="false" requiresQuestionAndAnswer="false" writeExceptionsToEventLog="false" passwordFormat="Hashed"/>
</providers>
</membership>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" timeout="10080" defaultUrl="index.aspx" slidingExpiration="true" cookieless="UseCookies" requireSSL="false" name="MyAuth"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Replace all attribute values that start "
My" with whatever you want / have named your class. (In fact the only ones that needs to match up to anything else are
MyConnection, which should be a reference to one of your connectionString names, and
MyType which needs to be the name of the new membership class you created earlier. Any request to your site will now auto-redirect to the login page (
login.aspx), which will ask the user for username + password. Once validated (by your class) the user will be redirected to
index.aspx and subsequent requests will be authenticated.
You'll need to define SMTP connection details in web.config too, for the password reset email.
This is just a quick overview, but points you in the right direction. Google "ASP.Net Membership provider" and check documentation for the login control. Once you've done this stuff once you'll find it straightforward to do again. You can add "
location
" entries to your web config if there are pages that need to be accessed without login, (such as a "goodbye" screen after logout!)