There are four basic parts to simple forms authentication. Those parts are:
- The form (to gather user ID & pwd) itself
- The Web.Config File entry
- The Data Store (the place where you keep the usernames and passwords
- The Validation Process, triggered in the click event of the form.
Here is an example of the simplest of Forms (let's call the page 'Login.aspx'),
designed to gather the user ID and password:
<table>
<tr>
<td align="Right" valign="Top"><b>User ID: </b></td>
<td align="Left" valign="Top">
<asp:TextBox id="txtUID"
Runat="server" />
</td>
</tr>
<tr>
<td align="Right" valign="Top"><b>Password: </b></td>
<td align="Left" valign="Top">
<asp:TextBox id="txtPWD"
TextMode="Password" Runat="server" />
</td>
</tr>
<tr>
<td align="Right" valign="Top" Colspan="2">
<asp:Button id="submitButton"
Text="Login"
onclick="doLogin"
Runat="server" />
</td>
</tr>
</table>
In the Web.Config
file, add this:
<authentication mode="Forms">
<forms name=".FormName"
loginUrl="login.aspx" ' remember how we named the page for the form?
protection="All"
timeout="480"
path="/"
/>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
For the DataStore - you can use anything you'd like - however, I'm a bit
partial to databases for quick interaction, so this example will be using a
database. You'll need to create a table in your database to store your names,
User ID and Passwords. Here's a list of the basic table fields you'll need:
| Field Name | DataType | Notes |
| id | Integer | (for Access, use AutoNumber; for SQL Server, create Identity) |
| Name | MS Access: Text; SQL Server: VarChar | use a length you feel is appropriate - you can also make this two fields (First and Last names) to be able to more easily use their first name other places on the site, once they're logged in |
| Login | MS Access: Text; SQL Server: Varchar, unless you want an exact number of characters. | |
| Password | (same as above) |
For the actual work to do this, create a click event for the button in the
form. Let's call it 'doLogin'. Also, you'll create a Function to do the
validation - - let's call it 'ValidateUser', with a couple of arguments, 'uid'
and 'pwd'. Also, create a label with an ID of 'lblError', just in case
the login attempt fails.
Function ValidateUser(uid As string, pwd As string) As Boolean
Dim sFirst,sName as string
Dim strConn as string = " server=UrSrvr;uid=UrUid;pwd=UrPwd;database=UrDB"
Dim MySQL as string = "Select [Name], [Login], " & _
"[Password] from Employees " & _
"Where Login=@uid AND Password=@Pwd"
Dim MyConn as New SQLConnection(strConn)
Dim objDR as SQLDataReader
Dim Cmd as New SQLCommand(MySQL, MyConn)
cmd.Parameters.Add(New SQLParameter("@Uid", uid))
cmd.Parameters.Add(New SQLParameter("@Pwd", pwd))
MyConn.Open()
Try
objDR=Cmd.ExecuteReader(system.data.CommandBehavior.CloseConnection)
While objDR.Read()
sUser=objDR("login")
sPwd=objDR("Password")
sName=objDR("Name")
End While
Dim sText as String
if sFirst = "" and sLast="" then
blnValidUser="False"
else
blnValidUser="True"
session("Name")=sName
End If
Catch ex as Exception
lblError.visible="true"
lblError.text="Sorry Errors have occurred"
Finally
ValidateUser = blnValidUser
MyConn.Close()
End Try
End Function
In the "doLogin" sub, you'd create it like this:
Sub doLogin(Source as Object, E as EventArgs)
If ValidateUser(txtUID.text,txtPWD.text) =True Then
FormsAuthentication.RedirectFromLoginPage(txtUID.text, False)
Else
lblError.Visible="True"
lblError.text="We're sorry, but the information you provided " & _
"does not match our database. Please try again."
label1.text=""
End If
End Sub
As you can see, using the 'ValidateUser' function, the user ID and password
are verified against the database. If it matches, it also retrieves the Name of
the user and assigns it to a Session to use anywhere in the site you'd like,
along with assigning the True or False of the login attempt to the blnValidUser
boolean variable, which, in turn is assigned to the output of the ValidateUser
Function. From here, the user is authenticated for any portion of the site, for
the length of the session. Naturally, it this process can be further expanded,
for roles and separating out sections of the site for roles or certain people
logged in, but we'll attack that at a later date.
I'm sure, that, if you're a novice, this may seem pretty complicated, but in
the total realm of the programming world, this is fairly simple. MS has done a
pretty nice job here, in my opinion. Just remember, the simplest way to attack a
seemably difficult piece of code, is to break it into parts, the way it's done
here. Study each part, piece by piece, and then see how they all fit together.
