Video: How Do I: Secure my Site using Membership and Roles?

Presenter:Scott Stanfield

Learn how to secure a web site using the new Membership and Roles features of ASP.NET 2.0. Topics include user registration, password recovery, and restricting access to content with roles.


Click here to go to original video page

The following text is a software generated transcript of the video. Click on a minute link to jump to a location within the video

Minute 0
Welcome to this ASP net work membership rolls if you don t web apps in the past of product on time at your own username and password system to your site when I don t need to because with HP net 2 0 you can secure your out with its built in password management system called membership and Yossi do much of UI controls for helping users login recover passwords and register for your site so let s start by creating a website that is what sites can be based on a template that I pretty secreted from the Master pages video on this is simply under Visual Studio 2500 templates project there s a zip file right here Master pages zip and it shall see this as a simple collection of a couple pages of art he populated to make this demo will cool the better so called missing a caller new project membership is reported in Time out how we manage members in a website in the roles of what I have here what s important here is this a web config files is empty or not a lot and it must
Minute 1
I ll sheet a Master page in these pages are all blank for me show you our default page is just simple content page but because of Re wired up in the previous video to master page if we view this thing you do see that it s it s just a placeholder ready to go now or vitamins videos populate somethings like login create account things like that and we close out will start first by jumping into this new site is using the debugger here to ASP net configuration by clicking on a more to go to page that s meant that provide a force automatically to administer our side we are just concerned with the security tab now and here were to do a couple things Palm right now the site is set up to support your basic Windows authentication so let s change that to did the homework without a kick up the authentication that you would expect on Internet application so that a user password things that you d do you expect so switch that over
Minute 2
And let s do a couple of things here and enable rolls her sites or roles are like groups of users in the credit couple of simple roles and administrator role in its Central s plan and administrators may have basic users and then we have another roll call power user second do special things in the site so there we have three basic groups of users now on a crate my first account can bootstrap whole process is to be for me and have done a pretty strong password so common a South American punctuation or put myself in administrators and users group to set up an e mail address and the scary questions or need for color blue focus we have her first user
Minute 3
So at this point we can close the site and go back to our project to watch the changer and hit refresh revenue folder here called app data and inside isn t it is an express database is being a DB that is critical to automatically and it s inside year and is net automatically manages our users in her accounts and roles that if I go to a student membership table this is just a short show you its inherent miss you don t normally have to deal directly with us database but my account your sky vertigo software considers my my color my question in my encrypted password answer over here is my password and you can see it s salted so this indicates to me it s it s a one way hash which is nice so there s a pretty secure system right out of the box and what s better though is he using a database is very simple to start my going back toward a full page scooter design mode
Minute 4
That spend the rest of time using these new components right here so because this is the default page is the side that everyone hits you get a hit when you re not currently authenticated so what we want to do is pursue the user with an option to login and maybe have their own maybe even also to create a new account s will do that here now I could to start typing you know you can login here and try to hyperlink over the problem is why go back to this page 1 Re authenticated I want to re login so I need this control call log into this manages the contents inside the box year depending what I m logged in or not so the anonymous template is can look something like this you re not logged in we can drag over hyperlink login drag over hyperlink to whiskey to feel you can create account for those into options we have and if we are authenticated and want to say something like
Minute 5
Welcome back login name it from here you do something like change your password so I dragged over this component called login name which is nice because it s been pulled using the membership APIs in a span that is to pull the username and automatically don t have to do anything for so in order to test the slot can view we d actually enable her site to be logged in to look for a login page and several login form values you can imagine in a text box and two text boxes and a button when you click the button we to authenticate homeless stuff but his peon that makes it easy with the login control right here a dragon on my form and basically done a good autoformat and change it to the professionals could save a think at this point we can vibrate the site potentially ever anonymous
Minute 6
Clips with blog and called it to the account information or to set up and login in us it takes you right back to the default page in the template is different because it now knows what him and from here if you change the password so far so good this as we got a lot of functionality with writing any code yet so let s go and customize us a bit further to go back to the login page and add a new feature here if I bring up the properties for this component is the quite a bit here on the one want to show you is his password recovery there s a built in password recovery system which has been workflow involved so we can add syntax like Tom forgot your password and then have a page that you can go to when you forget your password you can see it out of that hyperlink force automatically lets go and build on that page forgot password
Minute 7
You might expect we need another component is password recovery control and we only need to do is drag it over to take care of the the rest we do need to set up the e mail information though still under Tom C under the is a mail heard a male definition so sometime this is from no reply thesoftware com and maybe make a priority high priority and the subject is forgot for your new temporary password that s good now for just use if you try to use this page right away and set a password back it s not a work because we have to change a setting on the website let s go back to the website administration with the Tele where our exchange server is or SMTP server super go back to security actually when you go to the application configuration area and set the SAT piece
Minute 8
For here it s just exchange for one will make it from attack say that enclose the page now think were all set to go so go back toward a full page in this tunnel although the login page but most have forgot password so I study my username just got through watching asks me that favorite color question attacked and which is blue and that s it to the pastor for mail to me and now I can go check it out if this is normal account for read only market that should be read here no reply of cases refer you to the site uses password so that s a copy that the clipboard close those two Springer paid
Minute 9
Backup snow I can login as Scott and the pace that password back and it worked just good okay well I need to change the password because I might remember that interchange patchwork because not been hooked up but as you can imagine that s probably another component suite of the change password into that text and with drag and be change password component save it close the page is a rerun at that log back on the porch light still have that Patrick clipboard so login is that then change password should work so here s my old one here s one of changing into something I can remember there were good tickets he very quickly got a lot of new features was going to let soak up this crate account
Minute 10
Third and this is pretty slick it s got really two steps he signed up for your count entering all this information and he finished on adding custom step so let s add a step where the user could select the role now you wouldn t normally do this you can when you use or change the role but I just had a come up with some idea here so let s say choose your role in this allows to select select the role from business and membership hate to be set up so for this when you drop in the source code view and really show you see can see the degree of extensibility we have this as the wizard step that we just added two to roll forgot to design mode of many a couple things for this page I just need a slight role and will drag in a list box there and now let s go back to the source code you know I I have a couple methods that can
Minute 11
Penndel in the pages activated him to call activates these mostly with the step and it s when it s deactivated all called to deactivate step what I need is a couple of script blocks here of code that runs on the server and I have these in the clipboard sums can paste them in me explain what these two methods do when that step is activated on using the the rolls and rolls very bold to get a list of binding a directly to the list box when we move onto the next step on simply finding what role selected and adding it to him on this new user account at having to roll to the user selects close the sky and I will use this step to create a user that doesn t have any administrative privileges of critic chemical Mike
Minute 12
So we have a new account as part of just the users group we finish redundant now we can login as Mike Caldwell works Mayor said here s the deal here so one do actually want these pages manage accounts and display reports which are their 30s dummy pages but with that one or protect those Swiss pages are accessible from anyone and administrators role like Scott but not accessible first for someone like Mike in the user s role said he do that looks critic folder called Adnan what I d like to do is move these two finals despite reports manage accounts in that folder and that s a convenient place for us to the whole page is that we want to be protected for the way we do and do that flee it a spin it
Minute 13
Iteration page again there s a way for us to protect those pages so under security again under create access rules leader Cray to rules so this admin folder will take and administrators role you are allowed privileges to those to any file that page and with great another rule will exclude all other users are denied and what is really doing behind the scenes hit refresh of the crater web config file and we could have done this directly see conservatives folders to nod and Western administrators role and since we moved these two pages inside the admin folder if you ever want to get in again and even modify the website s URL for this page is renowned patent in this component if you want to know what this is for watch the watch the navigation video this is used
Minute 14
IV tree control and side so because removed those we had to keep that sank south to go back and log in as Mike if we try to get to smash accounts You can see it simply redirects back to the login page because it knows we ll have privileges of Scott and account we do have privileges I can see the pic horse is empty and we haven t really done anything in there yet cover notices little problem right here our image controls to bring up the properties of supporting backs were main admin aides point to a local folder called images under the Adnan folder which we have so in order to fix this last little problem we d go back to her master pages
Minute 15
ish minutes is identified in the membership a website so what I needed his changes to an ASP image control and set a run at SQL Server by doing this have access to this feature that allows me to set path image source if I put a to put right here until they will be mapped at run time to the root of my site is so imaging or else I ever go Sunday to do the same with my other image in a located in your view saw coffee just replace that stick to run a server in their hand change source to nuts second okay now I go back to this page
Minute 16
Display reports or satellite in first which is nice that you have a formula not going to get my images work is great for the final thing I want to do notice of login as Mike the menu here still shows these as options manage account display reports if we want to hide that we d modify the default behavior of the Cipro buy Cipro buy self doubt inside the web config will need to add an entry for the site map and this is another block of text have the clipboard sense of typing it is pasted in a more doing years were modifying for setting up for our site map and a key line is a security and able security trimming enabled on what that does is it uses the overall security settings and removes pages from the menu that you re not allowed to see this demonstrate for
Minute 17
So notice I don t have those pages here under the administration town exhibits that made admin page I can t even see that I have those other options but so is a long and as Scott was often show up automatically so all this code we ve done in the past 10 or 20 minutes on very little code that all this functionality if we had to do all this from scratch and coated with ASP net 1 1 ports a week and a top that will work for me may not even been in a secure way so we ve got this whole neat system with very little code to create membership or rules that you can add right now to websites