Introduction

The second portion of this article demonstrates how to implement your own authentication method using ASP.NET. Part 1 covered the basics of Forms Authentication and the concepts behind it (see http://www.15seconds.com/issue/020220.htm). This article assumes you have read part 1, or are familiar with the concepts of Forms Authentication.

• download source code
• view login demo
• view hash demo

Custom Forms Authentication Setup

Pages Used: Default.aspx, Login.aspx, Web.config, Users.xml, HashPassword.aspx

In this example of custom Forms Authentication, we will be using an XML document to store usernames and passwords.

• Create a folder named customForms under your webroot.
• Make this folder an application inside the Internet Services Manager. (This should be familiar territory if you have used the Global.asa in ASP.)
• Create a subfolder named unsecure.
• Create a document named HashPassword.aspx and move it to the unsecure directory.

Web.config Overview

The Web.config contains all the configuration settings for the Web application. I have highlighted the code that we will be examining. If any of the other code seems unfamiliar, please read part 1 of the article.

Web.config Code

<configuration>
  <system.web>
  <customErrors mode="Off"/>

    <authentication mode="Forms">
      <forms name="AuthCookie" path="/" loginUrl="login.aspx" protection="All" timeout="10">
      </forms>
    </authentication>

    <authorization>
      <deny users="?" />
    </authorization>
 
  </system.web>

   <location path="unsecure">
      <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
      </system.web>
   </location>

</configuration>

Web.config Details

This example has added a new configuration section named location. This section allows us to override settings configured by the Web.config system.web configuration section. In this particular instance, we want to allow anonymous or unauthenticated users access to the unsecure directory. A common example of this would be having an entire Web application secured, except for a registration page. By allowing anonymous users access to the unsecured directory, we can place files viewable by anyone in this directory. You can create as many location sections as necessary.

Users.xml Overview

In this file we are storing all of our authentication data, such as username and passwords. The password is encrypted using the SHA1 algorithm, which I will explain later.

Users.xml Code

<?xml version="1.0"?>
<users>
  <jeff>A94A8FE5CCB19BA61C4C0873D391E987982FBBD3</jeff>
  <mike>A94A8FE5CCB19BA61C4C0873D391E987982FBBD3</mike>
</users>

Users.xml Details

Here we have a simple section called users that contains individual nodes for each user. In between the nodes, open and end tags we have a hashed password. Obviously this file could be redone to hold more values, such as first name, last name, or telephone number.

Login.aspx Overview

This page contains all the logic for authenticating a user. In this example we will authenticate to an XML file. You could easily put logic in this page for authenticating against a database as well.

Login.aspx Code

<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<%@Import Namespace="System.Xml" %>

<script language="VB" runat="server">
Sub ProcessLogin(objSender As Object, objArgs As EventArgs)
    Dim strCurrentPath As String = Request.PhysicalPath
    Dim strXMLDocPath As String = Left(strCurrentPath, InStrRev(strCurrentPath, "\")) & "users.xml"
    Dim strUser As String = txtUser.Text
    Dim strPassword As String = txtPassword.Text
    Dim strEncPassword As String = GetHashedPass(strPassword)
    Dim blnIsAuthenticated As Boolean
    
    Dim objXMLDoc As New XMLDocument()
    
    Try
       objXMLDoc.Load(strXMLDocPath)
    Catch objError As Exception
       ErrorMessage.innerHTML = "<b> The XML document could not be loaded.</b>.<br>" & _
       objError.Message & "<br />" & objError.Source
       Exit Sub
    End Try
    
    Dim UserNodes As XmlNodeList
    
    UserNodes = objXMLDoc.GetElementsByTagName(strUser)

    'see if we found an element with this username
    If Not UserNodes Is Nothing Then
        Dim blnUserExists As Boolean = True
        Dim strUserCheck As String
        Try
            strUserCheck = UserNodes(0).FirstChild().Value
        Catch objError As Exception
            ErrorMessage.InnerHtml = "<b>Invalid username</b> please re-enter..."
            blnUserExists = False
        End Try
        If blnUserExists = True Then
            If strEncPassword = UserNodes(0).FirstChild().Value Then
                blnIsAuthenticated = True
            Else
                ErrorMessage.InnerHtml = "<b>Invalid password</b> please re-enter..."
            End If
        End if
    End If
    
  If blnIsAuthenticated Then
     FormsAuthentication.RedirectFromLoginPage(strUser, chkPersistLogin.Checked)
  End If

End Sub

Function GetHashedPass(ByVal aPassword As String) As String
    Return FormsAuthentication.HashPasswordForStoringInConfigFile(aPassword,"sha1")
End Function
</script>

<html>
<head>
<title>Custom Forms Authentication Login Form</title>
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form runat="server">
<table width="400" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td width="80">Username : </td>
    <td width="10"> </td>
    <td><asp:TextBox Id="txtUser" runat="server"/></td>
  </tr>
  <tr>
    <td>Password : </td>
    <td width="10"> </td>
    <td><asp:TextBox Id="txtPassword" TextMode="Password" runat="server"/></td>
  </tr>
  <tr>
  <tr>
    <td></td>
    <td width="10"> </td>
    <td><asp:CheckBox id="chkPersistLogin" runat="server" />Remember my credentials
    <br>
    </td>
  </tr>
  <tr>
    <td> </td>
    <td width="10"> </td>
    <td><asp:Button Id="cmdLogin" OnClick="ProcessLogin" Text="Login" runat="server" /></td>
  </tr>
</table>
<br>
<br>
<div id="ErrorMessage" runat="server" />
</form>
</body>
</html>

Login.aspx Details

In this example I have added references for both System.Web.Security and System.Xml. We will be using classes from both of these namespaces. Here we create a procedure named ProcessLogin. Its purpose is to check the form data (username and password) against an XML file containing usernames and passwords.

First, we create some local variables for our text boxes and other information needed. We need to get the full path to the users.xml file, so we use Request.PhysicalPath and then we trim the script file name. We also create a variable to hold our hashed password.

Next, we wrap our XMLDoc.Load method call inside a Try...Catch statement. The Try...Catch statement is new to ASP and is a great way to handle errors and exceptions. In the next portion of our code, we dim a variable for our node list. We then assign it to a list of nodes from the XML document using the getElementsByTagName method. We check to see if the user exists; if they do, we verify that the hashed value they entered matches the hashed password in the XML document. If the user exists and the passwords match, then we set blnIsAuthenticated to true. At the end of the procedure, if blnIsAuthenticated = true, then we call the RedirectFromLoginPage method. Alternatively we could use the SetAuthCookie method to do the same thing, but without redirecting the user to another page.

Another function, GetHashedPassword, will be explained later. In the interface or HTML portion of the login.aspx file, we have 2 server-side text boxes, 1 server-side check box, and 1 button, also running server side. In the onClick event of the button we call the ProcessLogin procedure. We also have a div running server side that will display any errors to the user.

Default.aspx Overview

The code in this ASPX file is the same as the default.aspx in the first portion of this article.

Default.aspx Code

<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<script language="vb" runat="server">
Sub SignOut(objSender As Object, objArgs As EventArgs)
  'delete the users auth cookie and sign out
  FormsAuthentication.SignOut()
  'redirect the user to their referring page
  Response.Redirect(Request.UrlReferrer.ToString())
End Sub

Sub Page_Load()
  'verify authentication
  If User.Identity.IsAuthenticated Then
    'display Credential information
    displayCredentials.InnerHtml = "Current User : <b>" & User.Identity.Name & _
"</b><br><br>Authentication Used : <b>" & _
User.Identity.AuthenticationType & "</b>"
  Else
    'Display Error Message
    displayCredentials.InnerHtml = "Sorry, you have not been authenticated."
    cmdSignOut.disabled = True
  End If

End Sub
</script>
<html>
<head>
	<title>Forms Authentication</title>
</head>

<body bgcolor="#FFFFFF" text="#000000">
<span class="Header">Forms Based Authentication using Custom Method</span>
<br>
<br>
<div id="displayCredentials" runat="server" />
<br>
<br>
<form runat="server">
  <input id="cmdSignOut" type="submit" Value="Sign Out" runat="server" onserverclick="SignOut" /><p />
</form>
</body>
</html>

Default.aspx Details

This page has the same functionality as the default.aspx in part 1. It simply displays the username and authentication method used.

HashPassword.aspx Overview

This page allows an unauthenticated user to create a hashed password. This can be used for storing passwords in the credentials section of the Web.config, inside an XML file, or in a database.

HashPassword.aspx Code

<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<script language="VB" runat="server">
Sub GetHashedPass(objSender As Object, objArgs As EventArgs)
    Dim strEncPass As String
    strEncPass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Value,"sha1")
    hashedPass.InnerHtml = "Hashed Password for Web.config, XML File or Database<br><b>" & _
 strEncPass & "</b>"
End Sub
</script>
<html>
<head>
<title>Create Hashed Password</title>
</head>

<body bgcolor="#FFFFFF" text="#000000">
<b>Create Hashed Password</b>
<form runat="server">
  <table width="100%" border="0" cellspacing="0" cellpadding="0">
    <tr> 
      <td>Password to encrypt: 
        <input id="txtPassword" type="password" runat="server" name="text"/>
         
        <input type="submit" value="Hash Pass" runat="server" onserverclick="GetHashedPass"/>
      </td>
    </tr>
	<tr> 
	<tr> 
      <td> </td>
    </tr>
	<tr> 
      <td>
        <div id="hashedPass" runat="server"/>
      </td>
    </tr>
  </table>
</form>
</body>
</html>

HashPassword.aspx Details

Again we need to import the System.Web.Security namespace for using the Forms Authentication namespace. Here we have a procedure that takes the text of our text box and hashes it using SHA1 hashing algorithm. The name of the method that does this is HashPasswordForStoringInConfigFile (quite possibly the longest method name I've ever seen). This method takes two parameters, the string to hash and the algorithm to be used. You can use either SHA1 or MD5 for hashing with this method. There are several other encryption options available in .NET (see Resources section below).

Resources

For more information on encryption options, see:

Cryptography namespace -- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemsecuritycryptography.asp

Crypto example -- http://www.4guysfromrolla.com/webtech/090501-1.shtml

For more information on the SHA1 class and constructor, see:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityCryptographySHA1ClassTopic.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityCryptographySHA1ClassctorTopic.asp

Conclusion

As demonstrated, Forms Authentication is a powerful tool in developing Web applications. If you have any questions or comments regarding this series, please feel free to contact me.

About the Author

Jeff Gonzalez has been working in the IT industry for the last six years. He started his IT career as an NT4 administrator and network engineer. While working for a hosting company, he recognized the power of Windows DNA and sought out to learn everything he could about it. Since his foray into the Internet development world, he has worked on several e-commerce, e-business, and intranet applications. Jeff is currently working at Microsoft doing ASP.NET, VS.NET, and mobility controls support. He can be reached at rig444@hotmail.com.