locked
Simplest code to include an authentication and authorization in asp.net website RRS feed

  • Question

  • User181052745 posted

    I am creating a database driven website where I need to have atleast two administrators and many other members/users. I need the website to be secure and authentication and authorization is to be done.what all steps should be followed for creating the same.

    I have read so many articles and it creates a confusion.What exact steps should be followed for the same.

    Thanks

    Saturday, October 18, 2014 7:22 AM

Answers

  • User281315223 posted

    What kind of web application are you building? Are you using ASP.NET MVC or Web Forms?

    Each of the technologies mentioned above have a few different ways to handle authentication and authorization a bit more easily than others. The easiest approach would be to uses Forms Authentication as it is built it to most ASP.NET application templates that are created within Visual Studio. Forms Authentication typically uses Cookies to authenticate users into the application (which are stored in the browser) and can persist for a given amount of time or until the user logs out.

    The actual code to create these cookies is fairly simple and usually just requires a single method call like the following :

    // This will generate a cookie for your specific user (username) and use a boolean to determine if it is persistent or not
    FormsAuthentication.SetAuthCookie(username,false);

    Likewise, when the user needs to log off, they can use the FormsAuthentication.SignOff() method to dispose of the cookie :

    // This will remove the Authentication token (cookie) for your current user
    FormsAuthentication.SignOff();

    With regards to authorization, you can define settings within your web.config file that will restrict certain areas of your application to users based on their roles, their specific usernames or if they are even authenticated at all. This blog post does a fairly decent job at explaining how to implement various levels of authorization within your web.config and it might be worth looking through.

    Additionally, if you are using ASP.NET MVC you might consider exploring the [Authorize] attribute, which can easily be used to restrict access to certain areas of your application at either the Controller or Action level. It's extremely easy to use and I would recommend it if you are dealing with MVC.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, October 18, 2014 7:38 AM

All replies

  • User281315223 posted

    What kind of web application are you building? Are you using ASP.NET MVC or Web Forms?

    Each of the technologies mentioned above have a few different ways to handle authentication and authorization a bit more easily than others. The easiest approach would be to uses Forms Authentication as it is built it to most ASP.NET application templates that are created within Visual Studio. Forms Authentication typically uses Cookies to authenticate users into the application (which are stored in the browser) and can persist for a given amount of time or until the user logs out.

    The actual code to create these cookies is fairly simple and usually just requires a single method call like the following :

    // This will generate a cookie for your specific user (username) and use a boolean to determine if it is persistent or not
    FormsAuthentication.SetAuthCookie(username,false);

    Likewise, when the user needs to log off, they can use the FormsAuthentication.SignOff() method to dispose of the cookie :

    // This will remove the Authentication token (cookie) for your current user
    FormsAuthentication.SignOff();

    With regards to authorization, you can define settings within your web.config file that will restrict certain areas of your application to users based on their roles, their specific usernames or if they are even authenticated at all. This blog post does a fairly decent job at explaining how to implement various levels of authorization within your web.config and it might be worth looking through.

    Additionally, if you are using ASP.NET MVC you might consider exploring the [Authorize] attribute, which can easily be used to restrict access to certain areas of your application at either the Controller or Action level. It's extremely easy to use and I would recommend it if you are dealing with MVC.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, October 18, 2014 7:38 AM
  • User1779161005 posted

    While Forms authentication is still supported and as Rion shows is fairly easy to use, it's technically deprecated. Its successor is the Katana cookie authentication middleware:

    http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

    Saturday, October 18, 2014 10:07 AM