In the other tutorials in this series we explored the ASP.NET security model and utilizing it to build rich featured User Management Systems using Dreamweaver. We learned how to use the web.config file to configure security on ASP.NET web application. We learned how to authenticate a user using Forms Authentication method. We learned how to create cookie to hold a user’s role and how to create a custom Generic Identity object to maintain the user’s role authorization from one request to another. Finally we learned how use the role information and Generic Identity object to programmatically control our user experience. In this final tutorial in the series, we will build upon prior discussions as we take over the Forms Authentication Ticket creation process to create our own custom authentication ticket and encrypt it using the ASP.NET FormsAuthentication class. That said, this tutorial stands on it’s own in the presentation of the topics covered.
Before you get too involved, let’s see if you’re ready. This tutorial makes assumptions about your skill level--that is, this tutorial is intended for intermediate users. If you’ve never configured a new site in Dreamweaver, never configured a database connection string, or never used the Dreamweaver database connectivity tools, this tutorial is probably not for you as you’ll need to be familiar with these concepts and techniques. If you have done these things but have very little or no experience hand coding, writing SQL statements, using the Dreamweaver advanced Dataset Dialog, don’t worry we’re doing this together and I’ll do my part to bring you along.
ASP.NET Security Review
The ASP.NET platform security is built around the concepts of authentication and authorization. As you may recall the concept of Authentication is ensuring the user is who they say they are—usually via a username/password challenge; and the concept of Authorization is determining the user’s privileges or Role(s) within the application, i.e. Guest, User, Administrator.
Security in the ASP.NET Framework is handled by the System.Security namespace which includes the methods one needs to secure ASP.NET web applications, including cryptography, management for the ASP.NET runtime, and authentication and authorization of users. The ASP.NET platform has out of the box support for Windows Authentication, Passport Authentication, and Forms Authentication.
Now that we’ve briefly reviewed concepts and options involved in creating user logins, let’s look at the code we’ll use to accomplish this using the built in support for Forms Authentication, the web standard, in the Asp.Net System.Security namespace.