- Posted by matt on April 16, 2008
The .NET framework (starting with v2.0) has some great built in role and member based authentication that is easy to tap with a little setup. Recently I was setting up some XML based user authentication for members only (no roles) and was having trouble finding a relevant guide as to how you would go about setting this up. I decided to turn to the BlogEngine.Net source for some guidance and was able to get a complete solution online without too many hang ups.
What is the goal?
The goal here is to set up basic user authentication using an XML file for user data storage and the built in .NET Login controls. The solution should tie in with the .NET MembershipProvider to take advantage of all the work that has already been done in the framework.
Steps to complete
- Create an XMLMembershipProvider (or download this one)
- Create a Users.xml file in the App_Data folder
- Configure the web.config to use the provider
- Build the Login page
Step 1. Create an XMLMembershipProvider
The first thing you need is a class that inherits from the .NET MembershipProvider which will let the program know how to interface with your data. This is probably the most complicated part, but fortunately the BlogEngine.NET code saves us a lot of time since the provider has already been written for that system. It does not make use of all of the available MembershipProvider features but is sufficient for basic authentication. You can write your own solution if you prefer but this code will help get you going, just add it to your App_Code folder.
The source code can be downloaded here: XmlMembershipProvider.cs
Step 2. Create a Users.xml file
The Users.xml file will store all of the account data for the users. Create a file under the App_Data folder and name it Users.xml.
The file should be in the following format:
<?xml version="1.0" encoding="utf-8" ?>
<Users>
<User>
<UserName>user1</UserName>
<Password>password</Password>
<Email>user1@demo.com</Email>
<LastLoginTime>2007-12-05 20:46:40</LastLoginTime>
</User>
<User>
<UserName>user2</UserName>
<Password>password</Password>
<Email>user2@demo.com</Email>
<LastLoginTime>2007-12-05 20:46:40</LastLoginTime>
</User>
</Users>Step 3. Configure the web.config file to use the provider
The web.config file needs to be set up to know how to access your custom membership provider from step 1.
First set the authentication mode to "Forms" and configure the form values. You should set the name= attribute to the cookie name you want to use for the authentication. You should set the loginURL= attribute to the virtual path to your login page.
Next add the membership section and set the defaultProvider= attribute to the name of your provider class. Add a provider to the section and set the type= attribute to the namespace or class name of your xml provider. Finally, specify the xmlFileName= attribute by setting it to the virtual path of the Users.xml file
<system.web>
<!-- Authentication -->
<authentication mode="Forms">
<forms timeout="129600" name=".XMLAUTH" protection="All" slidingExpiration="true" loginUrl="~/Login/Default.aspx" cookieless="UseCookies"/>
</authentication>
<membership defaultProvider="XmlMembershipProvider">
<providers>
<clear/>
<add name="XmlMembershipProvider" type="XmlMembershipProvider" description="XML membership provider" xmlFileName="~/App_Data/Users.xml"/>
</providers>
</membership>
</system.web>Step 4. Build the Login Page
Now that your application is wired up to use your new provider and xml data file, you need to set up a page for the user to authenticate from. This is normally done at ~/Login.aspx or at ~/Login/Default.aspx. I prefer the latter as it's easier for people to remember a path without an extension.
Create your page and drag an <asp:Login /> control from your toolbar onto the page. At minimum you need to specify a DestinationPageUrl= for your user to be redirected to upon successful sign in, and an OnAuthenticate method. To assign the OnAuthenticate method, double click on the control in the design view to be taken to the method in the code view.
On the page, include the System.Web.Security library to easily access the Membership class. You can now use the following simple method to authenticate a user: (this is in the code behind of the login page)
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
public partial class Login_Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
if (Membership.ValidateUser(Login1.UserName, Login1.Password))
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true);
}
}The Membership.ValidateUser() function will access your XmlMembershipProvider which will check the supplied credentials against the xml file. If the username and password matches it will return true. If they provided the proper credentials, you can use the FormsAuthentication.RedirectFromLoginPage() function to add a cookie to the browser indicating the person has been authenticated. The second parameter (true) indicates that you do want the cookie to be placed on the browser so that the authentication carries throughout the site.
How to determine authentication on the site
Now that you have the user authentication taken care of, it's a simple task to determine if a user is logged in on the rest of your sites pages. To find out, you can simply call the following function:
if (Page.User.Identity.IsAuthenticated)
{
//User is logged in
}
else
{
//User is not logged in
}You can also make use of the other built in .NET login controls like <asp:LoginStatus />, <asp:CreateUserWizard />, <asp:PasswordRecovery /> etc.
