If you search for something like "authentication, authorization, member, role, user with ASP.NET," the first thing that is likely to come up is the famous ASP.NET 2.0 Provider Model.
A provider is a software module that provides a uniform interface between a service and a data source. Providers abstract physical storage media, in much the same way that device drivers abstract physical hardware devices.
To make things simple, providers are interfaces those represent ASP.NET 2.0 services: Membership, Profile, Role, Sitemap, Session State etc. The implementing classes of these providers are responsible for storing state data in storage media that maybe a SQL Server database, MySQL database, XML file or even a plain text file. We can say that the Provider Model is somekind of Strategy Pattern.
One of the providers is Membership Provider which standardized the way ASP.NET developers implement a member system in ASP.NET 2.0. By using Membership Provider, many benefits are gained. For example,
- Every ASP.NET programmers implement the member system the same way. So it is easy to understand/work across different projects.
- Easy to migrate to other database. Just change/reimplement the provider!
- Can take advantage of ASP.NET's ready-out-of-the-box Login controls: Login, PasswordRecovery, CreateUserWizard, ChangePassword etc.
While there are so many benefits, ordinary developers suffered from Provider Model from many reasons.
- It takes too much effort to implement a provider. Take a look at Implementing a Membership Provider. I just don't want to waste time reading this document just to build a member system on my small website.
- The Login Controls looks inflexible to many developers. It gives the impression that they will not allow the developers to do things the way they want. Despite the fact that these controls are highly customizable ... with some efforts.
- It has too steep learning curve. In a time-crisis situation, developers may consider implementing member system the manual way.
The member system we are going to implement is simple, utilizing only the FormsAuthentication in ASP.NET 1.x style.
- Create new user
- Login and Logout
- Restrict access to pages in directory according to user's roles
Create new user
This is straight-forward. Just layout some fields and add some validators. The initial user data is then inserted into the database.
Login and Logout
We must first have the logic for authentication. For example, the person with username and password pair are queried from database.
We then need to modify the web.config file to indicate the authentication method and the location of login page. Add these lines under <system.web>
Next, for the login logic, here is my sample code.
In this case, every succeeded authentication will give the current user the role of "Customer."
Finally, add the Global.asax file to your project if none exists. You can add the Global.asax file from Add New Item Dialog. Overrides the Application_AuthenticateRequest method like this:
Restrict access to pages in directory according to user's roles
To protect a directory, add a separate web.config files containing these lines to each directory.
The allow tag specifies roles those can access the directory.
You can now also use ASP.NET's Login Controls
- LoginView Control: To display different message to users those have been logged in and those not.
- LoginStatus Control: To display Login/Logout link.
- LoginName: To display username of current user. Same as using HttpContext.Current.User.Identity