Monday, July 10, 2006

Membership Provider Control in ASP.Net


Hi Friends,

Here I am demonstrating how use membership provider control for login purposes. Microsoft has provided the login control that enables the developer to create the functionality of authorizing the user quickly. When I was developing this for site I encounter some problem. That also I am going to discuss over here.

First when you start to implement the membership provider control into your site. You need to decide which pages or which folder you want to restrict the user unless he/she is authorized. After deciding this, create your pages or pages in folder.
Here I have created a page PriceListing.aspx and I want to restrict the anonymous user to access it. User either has to sign in or Sign Up to view the page. I have also created the pages default.aspx, MemberLogin.aspx and CreateUser.aspx.

Default.aspx is the default page for site. If user is already logged in then the user status will be logout else login. This was related to UI. Not come to the configuration membership provider control to use the login facility provided by the Microsoft in VS.NET 2005.

In web.config on has to do the following changes.

1. Create the connection string which will point to the database.
<connectionStrings>
<add name="MPConnectionString" connectionString="Data Source=.\SQLEXPRESS; AttachDbFilename=DataDirectory\ASPNETDB.MDF; Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient" />

<!--<add name="MPConnectionString" connectionString="Data Source=.\SQLExpress;Persist Security Info=True;Integrated Security=SSPI;Initial Catalog=TestDatabase"/>
-->
</connectionStrings>

Here you can see two types of connection string

         1. In first connection string
AttachDbFilename=DataDirectory\ASPNETDB.MDF
This line automatically creates the database names as ASPNetDB.mdf in to your site/App_Data folder. It also automatically creates the tables into it which are required for membership controls.
         2. in second connection string you are specifying your own database for provider, hence it does not have the membership provider tables in it. You can create that using aspnet_regsql.exe utility. (please do not forget to give rights for membership provider to the public role )


2. Write the following statements in <system.web>.

<identity impersonate="true"/>
<membership defaultProvider="MemberShipSandeepTest">
<providers>
<add connectionStringName="MPConnectionString" name="MemberShipSandeepTest" type="System.Web.Security.SqlMembershipProvider" />
</providers>
</membership>

Here we have create the membership provider named as MemberShipSandeepTest. Specified connection string as MPConnectionString. Specified type as System.Web.Security.SqlMembershipProvider.

Automatically Microsoft provides the default provider we have to change the default provider to our newly created provider. This can be done very easily by specifying one of the attribute of the membership as defaultProvider="MemberShipSandeepTest" our provider name.

3. Next step is to define the authentication and authorization settings.

<authentication mode="Forms">
<forms cookieless="UseCookies" name="AuthCookie" defaultUrl="Default.aspx" loginUrl="MemberLogin.aspx" protection="All" timeout="10">
</forms>
</authentication>

Make the authentication mode as forms
There are total 4 types of authentication Windows, Forms, Passport, None. We are going to use Forms Authentication.
If Authentication mode is Forms we have to specify 2 things mainly:

· Cookieless = specify the “UseCookies” since we required the cookies for authorization of users.
· defaultUrl = user is redirected to this URL if he/she is directly want to login. And no return URL is present.
· loginUrl = if user is not authenticated and not authorized to access the page visited then system automatically redirects the user to this page.

4. Next step allow all user to access all the pages in site by specifying

<authorization>
<allow users="*"/>
</authorization>

Where * denotes all users.

5. Next step is to restrict the user to some pages or the folders.
To restrict the user before logging in to site can be possible from the web.config. you just have to write few lines in web.config as specified below.

In our example we want to restrict the unauthorized user to access the PriceListing.aspx
Write below line outside <system.web>.

<location path="PriceListing.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

? Denotes the anonymous user.
In path you can also specify the folder path. Specifying the folder path allows you to impose the authorization for all pages in side the folder.



You can download the example as per the above discussion…..
http://aspspider.net/sandeeppawar/ArticlesItems/AD_11_LoginControl.zip
(You can customize the directions like continue button when user sign up. Log out click.)

No comments: