ASP.NET 1.1 Insider Solutions- P11

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

lượt xem

ASP.NET 1.1 Insider Solutions- P11

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu ' 1.1 insider solutions- p11', công nghệ thông tin, kỹ thuật lập trình phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:

Nội dung Text: ASP.NET 1.1 Insider Solutions- P11

  1. 488 12 Side-by-Side Execution in ASP.NET The MMIT Mobile Controls In version 1.1 of the .NET Framework, the ASP.NET mobile controls from the MMIT are inte- grated into the class library and can be used directly, without requiring a separate installation. The two namespaces System.Web.Mobile (the core classes and authentication and error-handling features) and System.Web.UI.MobileControls (the controls themselves) are now an integral part of the .NET Framework. There is also a namespace System.Web.UI.MobileControls.Adapters, which contains the core control adapter classes that you can use to build you own mobile controls. By default, ASP.NET does not create pages that are suitable for use with the mobile controls, and you still have to add the same “extra information” to the page to use these controls. This involves specifying that the page itself should be an instance of the MobilePage type, which allows multiple forms to exist on a page and provides integration with the core mobile capabili- ties: You must also continue to specify the tag prefix and the assembly that contains the mobile controls by using a Register directive, so that the controls can be identified. The usual prefix is “mobile”, as in this example: This means that existing version 1.0 pages that use the MMIT will function just the same on version 1.1, with no changes required to the code except where it uses other classes (for example, classes from the System.Data namespaces) that have changed in version 1.1. Running Version 1.1 Applications on Version 1.0 If you write an application to run on version 1.1 of the .NET Framework and avoid using any features that are new or changed in version 1.1, you will be able to run that application on version 1.0. However, unless you are strictly limited to using only version 1.0 on the server that will host the application, you should consider always running on the latest version of the .NET Framework to benefit from the latest security fixes and performance enhancements. How ASP.NET Selects the Runtime Version IIS uses the concept of mappings (sometimes called script mappings or application mappings) to decide how to process a file or resource when it is requested through the WWW Service. You can view and change the mappings for a Web site or a virtual Web application in the Mappings tab of the Application Configuration dialog for a Web site. To open the Application Configuration dialog, you open the Properties dialog for the Web site, select the Home Directory tab, and click the Configuration button (see Figure 12.4).
  2. How to Specify the ASP.NET Version for Individual Applications 489 FIGURE 12.4 Viewing the script mappings in Internet Information Services Manager. The mappings for ASP.NET pages and resources point to the file aspnet_isapi.dll, which is responsible for processing these pages and resources. If you have more than one version of the .NET Framework installed, the mapping will point to the version of aspnet_isapi.dll that will be used, and this determines which version of the .NET Framework classes and ASP.NET runtime will process the resources. In Figure 12.4, you can see that version 1.1 will be used (the full version number is 1.1.4322). How to Specify the ASP.NET Version for Individual Applications As you have seen in the preceding section, all you have to do to force ASP.NET resources to be executed under a different version of the .NET Framework is change the mapping to point to aspnet_isapi.dll in the appropriate [version] folder of the .NET Framework. One way to do this is to manually edit the entries; however, you have to repeat this process for several file types (all the extensions for ASP.NET, such as .aspx, .asmx, .asax, and .ascx). A far easier way to force ASP.NET resources to be executed under a different version of the .NET Framework is to use the aspnet_regiis.exe application registration utility that is provided with every version of the .NET Framework. This utility can be used for several tasks related to script mappings in IIS, including updating the mappings for some or all of the Web sites and Web applications configured within IIS. Installing ASP.NET Without Updating Script Mappings The Dotnetfx.exe setup program executes the aspnet_regiis.exe utility automatically when you install the .NET Framework and when you uninstall it. However, you can prevent aspnet_regiis.exe from being executed, and hence maintain the existing script mappings, by
  3. 490 12 Side-by-Side Execution in ASP.NET running the Dotnetfx.exe setup program from a command window and specifying the special parameter sequence, as shown here: Dotnetfx.exe /c:”install /noaspupgrade” This means that you can install the latest version of ASP.NET without disturbing any existing applications and then update individual applications as and when required by using the aspnet_regiis.exe utility. When you create a new Web application, the version currently set up for the default Web site within which the new application is created is used for the new applica- tion until you specifically change it. Again, you can use the aspnet_regiis.exe utility for this. Remember that if the version of ASP.NET you are installing is older than the most recent version already installed, the setup program does not automatically execute aspnet_regiis.exe—and so the existing script mappings are not updated. Using the aspnet_regiis.exe Tool to Configure Runtime Versions The aspnet_regiis.exe tool is supplied with each version of the .NET Framework and is located in the %windir%/Microsoft.NET/Framework/[version]/ folder. The version of the tool is different for each version of the .NET Framework, so you must use the correct one, depending on what configuration changes you want to make. For example, to configure an application to use version 1.0 of the .NET Framework, you must run the version of aspnet_regiis.exe from the folder %windir%/Microsoft.NET/Framework/v1.0.3705/. You run the aspnet_regiis.exe utility from a command window. As shown in Table 12.1, aspnet_regiis.exe accepts a range of parameters that determine the configuration changes it makes. Note that you can use this tool to create the aspnet_client folder for your Web sites and populate it with the required client-side script files, and you can also use it to set the script mappings or display information about the versions of ASP.NET that are installed. In Windows Server 2003, with IIS 6.0, you must also manage the Web service extensions to allow ASP.NET to serve pages. You’ll learn more on this topic later, but you can see in Table 12.1 that the aspnet_regiis.exe utility can set these for you as well. TA B L E 1 2 . 1 The Command-Line Parameters for the aspnet_regiis.exe Utility Parameter Description -i Registers this version of ASP .NET, adds the matching Web service extension to IIS 6.0, and updates the mappings for all Web sites and Web applications to point to this version of aspnet_isapi.dll. -ir Registers this version of ASP .NET but does not update Web site and Web application mappings. -enable Is used with the -i or -ir parameters to set the status to Allowed for the Web service exten- sion it installs for ASP .NET (version 1.1 and above with IIS 6.0 and above only). -s Updates the mappings for all Web sites and Web applications at the specified path and updates any applications nested within this path to point to this version of aspnet_isapi.dll (for example, aspnet_regiis.exe -s W3SVC/1/ROOT/ProAspNet). -sn Updates the mappings for all Web sites and Web applications at the specified path, but not those nested within this path, to point to this version of aspnet_isapi.dll.
  4. How to Specify the ASP.NET Version for Individual Applications 491 TA B L E 1 2 . 1 Continued Parameter Description -r Updates the mappings for all Web sites and Web applications configured within IIS to point to this version of aspnet_isapi.dll. Does not register this version of ASP .NET or add a Web service extension. -u Unregisters this version of ASP .NET and removes the Web service extension. Any existing mappings for this version are remapped to the highest remaining version of ASP .NET that is installed on the machine. -ua Unregisters all versions of ASP .NET on the machine. -k Removes all mappings to all versions of ASP.NET for all Web sites and Web applications at the specified path and any applications nested within this path (for example, aspnet_regiis.exe -k W3SVC/1/ROOT/ProAspNet). -kn Removes all mappings to all versions of ASP .NET from the specified path but does not remove those nested within this path. -lv Lists all versions of ASP .NET that are installed on the machine, along with the current status (Valid or Invalid) and path to aspnet_isapi.dll for that version (when the status is Valid). -lk Lists the paths of all the IIS metabase keys that contain ASP .NET mappings, together with the version each one is mapped to. Does not include any keys that inherit ASP .NET mappings from a parent key. -c Installs the client-side scripts for this version into the aspnet_client subfolder of every IIS Web site directory. -e Removes the client-side scripts for this version from the aspnet_client subfolder of every IIS Web site directory. -ea Removes the client-side scripts for all versions of ASP .NET from the aspnet_client subfolder of every IIS Web site directory. -? Prints the help text in the command window. One issue to be aware of is that installing the .NET Framework adds to your PATH environment variable the path to the utilities folder. Therefore, depending on the order in which you installed the .NET Framework versions, you might find that typing just aspnet_regiis will not run the version you expect or require. To get around this, you need to enter the full path to the version of aspnet_regiis.exe that you want or edit your PATH environment variable to change the order of the paths or add the one you need. To edit your PATH environment variable, you open the System applet by selecting Start, Settings, Control Panel; then you click the Environment Variables button in the Advanced tab of the System Properties dialog. Listing Versions, Web Sites, and Application Roots As an example of using aspnet_regiis, the following command uses the -lv (list versions) param- eter to list the versions of the .NET Framework that are installed on the machine by printing the path to the aspnet_isapi.dll file for each version and showing which is the default (root) entry in IIS: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322>aspnet_regiis -lv 1.0.3705.0 Valid
  5. 492 12 Side-by-Side Execution in ASP.NET ➥ C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll 1.1.4322.0 Valid (Root) ➥ C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll To get a list of the Web sites and virtual Web applications, together with the version that each one is currently mapped to, you can use the -lk (list keys) parameter: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322>aspnet_regiis -lk W3SVC/ 1.1.4322.0 W3SVC/1/ROOT/ 1.1.4322.0 W3SVC/1/ROOT/MSMQ/ 1.1.4322.0 W3SVC/1/ROOT/Printers/ 1.1.4322.0 W3SVC/1/ROOT/ASPNETInsiders/ 1.1.4322.0 Updating the ASP.NET Runtime Configuration To demonstrate how to change the mappings for Web sites and Web applications, the following command shows how you can use the -s (script-map) parameter (the path can be obtained using the -lk parameter as shown in the preceding section): C:\WINDOWS\...\v1.0.3705>aspnet_regiis -s W3SVC/1/ROOT/ASPNETInsiders Start installing ASP.NET DLL (1.0.3705.0) ➥ recursively at W3SVC/1/ROOT/ASPNETInsiders Finished installing ASP.NET DLL (1.0.3705.0) ➥ recursively at W3SVC/1/ROOT/ASPNETInsiders Now the mappings for the virtual application root named ASPNETInsiders and all nested virtual applications are configured so that they will execute under version 1.0 of the .NET Framework. One point to watch here is that because IIS 6.0 was not available when version 1.0 of the .NET Framework was created, the aspnet_regiis tool does not install ASP.NET 1.0 in the Web service extensions section of IIS 6.0. You have to create this entry manually (as shown in the following section) and set the status to Allowed. Installing the ASP.NET Client-Side Script Folder When you create a new Web site, the aspnet_client subfolder that contains the client-side scripts required by some ASP.NET server controls is not automatically added to that Web site. You can ensure that it is present and correctly populated with the required scripts for all Web sites by using the -c option of aspnet_regiis.exe: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322>aspnet_regiis -c ASP.NET and IIS 6.0 on Windows Server 2003 IIS 6.0 on Windows Server 2003 contains a new extra layer of security for the Web service, in the form of Web service extensions. Basically, Web service extensions are subsets of the script
  6. ASP.NET and IIS 6.0 on Windows Server 2003 493 mappings that are installed on the machine, with the option to block requests for files that have the file extension specified in that mapping set. You have to ensure that the status for the Web service extension that specifies the version of ASP.NET you are using for your applications is set to Allowed. If it isn’t, the client will simply receive a “Page not found” response—even though the page exists and the user has requested the correct URL. IIS 6.0 Web Service Extensions To configure Web service extension settings in IIS 6.0, you open Internet Information Services Manager and select the Web Service Extensions folder. You can see in Figure 12.5 that the Web service extension for version 1.1 of ASP.NET is configured within the list and has its status set to Allowed so that it can handle requests. This is because this machine was specified as an applica- tion server when the Windows Server 2003 operating system was installed. FIGURE 12.5 Managing the Web service extensions in IIS 6.0 on Windows Server 2003. To add a new extension for a different version of the .NET Framework, you click the Add a New Web Service Extension link. Then you type the name of the extension in the New Web Service Extension dialog, check the option Set Extension Status to Allowed, and click the Add button. In the Add File dialog that appears, you navigate to the appropriate .NET Framework version folder and select the aspnet_isapi.dll file (see Figure 12.6). After you click OK twice, the new Web service extension appears in the list. Now any ASP.NET pages or resources that are configured to use this version of the .NET Framework—in other words, applications that specify this version of aspnet_isapi.dll in their script mappings—will run (see Figure 12.7).
  7. 494 12 Side-by-Side Execution in ASP.NET FIGURE 12.6 Adding a new Web service extension. FIGURE 12.7 A new Web service extension in Internet Information Services Manager. IIS 6.0 Application Pools If you try to run ASP.NET applications that are configured to use different versions of the .NET Framework on the same machine under Windows 2003 and IIS 6.0, you must either segregate them by version in different application pools or disable application pooling altogether and run in IIS 5.0 isolation mode (described later in this chapter, in the section “Using IIS 5.0 Isolation Mode in IIS 6.0”). By default, IIS 6.0 uses a common process for all the applications running in the same application pool. If applications in the same application pool try to use different versions of ASP.NET, you’ll see the Server Application Unavailable page and the error message shown in Figure 12.8 appears in the Application section of the event log. To get around this, you can create a new application pool and then assign the applications that require different versions of the .NET Framework to different pools. You can run all the applica- tions that use the same version of the .NET Framework in the same application pool, or you can create multiple application pools and allocate your applications between them.
  8. ASP.NET and IIS 6.0 on Windows Server 2003 495 FIGURE 12.8 The error messages when multiple versions of ASP.NET are not configured in separate application pools. Creating a New Application Pool To create a new application pool, you right-click the Application Pools folder in Internet Information Services Manager and select New; then you select Application Pool. Next, you enter the name for the new application pool in the Add New Application Pool dialog that appears, and you select the first option button to use the default settings. Alternatively, if you have created a template for application pools, you can base the new one on that by selecting the second option button (see Figure 12.9). FIGURE 12.9 Creating a new application pool in IIS 6.0. Allocating ASP.NET Applications to an Application Pool To assign a Web site or virtual Web application to an existing application pool, you just have to select it in the Properties dialog for the site or application. In the Home Directory tab or the Virtual Directory tab of the Properties dialog, you use the drop-down Application Pool list at the bottom of the dialog to specify which application pool you require (see Figure 12.10).
  9. 496 12 Side-by-Side Execution in ASP.NET FIGURE 12.10 Selecting the application pool for an ASP .NET Web application. Using IIS 5.0 Isolation Mode in IIS 6.0 You can configure IIS 6.0 to run in IIS 5.0 isolation mode. In this mode, the application-pooling feature that is turned on by default in IIS 6.0 is disabled, and applications run under the same process isolation model as in IIS 5.0. If you enable IIS 5.0 isolation mode, you can run ASP.NET applications that execute under different versions of the .NET Framework without having to create separate application pools. To enable IIS 5.0 isolation mode, you open the Properties dialog for the Web Sites folder and check the Run WWW Service in IIS 5.0 Isolation Mode option (see Figure 12.11). When you close the Properties dialog, IIS prompts you to restart the service to put the new setting into effect. FIGURE 12.11 Specifying IIS 5.0 isolation mode in IIS 6.0.
  10. Summary 497 However, in IIS 5.0 isolation mode you do not benefit from many of the improvements in IIS 6.0, including better process management and deadlock detection. You should avoid using IIS 5.0 isolation mode unless it is absolutely necessary. Summary This chapter looks at how the .NET Framework allows you to run multiple versions side-by-side and select which version each application should run under. This is a huge advance over previ- ous versions of ASP, where you had to perform a full server upgrade and shift all your applica- tions to the newly installed version. Along with the fundamental changes that the .NET Framework provides, such as freedom from reliance on COM components and “DLL hell,” ASP.NET side-by-side execution also solves many issues you had to cope with in the past. In particular, running and testing different versions of your Web sites and Web applications are now much easier and much more controllable. You can move an application from one version of the .NET Framework to another quickly and easily. As well as side-by-side execution, this chapter also looks at the changes to the namespaces in the .NET Framework that are relevant to ASP.NET and Web applications. There are many minor changes between versions 1.0 and 1.1, and there are quite a lot of bug fixes, but only a few of these affect applications when you migrate from one version to another. This chapter summa- rizes the changes that are most likely to affect your applications and how you can get around the issues these changes raise. Finally, this chapter looks at the latest version of the Windows operating system, Windows Server 2003, and the way it affects ASP.NET applications. The better performance and robustness of IIS version 6.0 certainly make it worth considering an upgrade to Windows Server 2003.
  11. 13 IN THIS CHAPTER Building a Reusable Sign-in Control 500 BEST PRACTICE: Taking Validating User Input 504 Hashing Passwords 506 Advantage of Helping Users Who Forget Their Passwords 508 Forms Persistent Authentication Cookies 514 Authentication Using Forms Authentication in Web Farms 516 Cookieless Forms Authentication 519 Using forms authentication is a great way Protecting Non-ASP.NET Content 523 to create ASP.NET applications that require Supporting Role-Based Authorization users to sign in to perform certain opera- with Forms Authentication 526 tions. The features provided by forms Using Multiple Sign-in Pages 528 authentication make it quick and easy to create a secure authentication system and to Dealing with Failed Authorization 530 make checks against that system in code. Listing Signed-in Users 531 Sometimes, though, you want an authenti- Forcibly Signing a User Out 533 cation system that you have built on forms authentication to do things that the basic Summary 535 forms authentication implementation does not. Fortunately, the ASP.NET developers at Microsoft anticipated this and built the entire system in a way that makes it easy to customize to your particular needs. This chapter looks at lots of situations in which you need to use forms authentication in ways that are different from the standard approach. This chapter assumes that you are already familiar with the basics of forms authentica- tion, setting up the web.config file, and creating a sign-in form. If you have not used forms authentication before at all, it would
  12. 500 13 Taking Advantage of Forms Authentication be worth working through a basic example (there are loads available online and in other books) before reading this chapter. One basic piece of advice that you should keep in mind while reading this chapter is to use SSL for your sign-in page. Forms authentication protects the authentication ticket that is used to identify signed-in users by encrypting it and testing for tampering, but that is useless if you allow your users’ passwords to be stolen by having them submitted to your sign-in page in plain text. The Internet Information Services online help (available by browsing to http://localhost/ iishelp on a default installation of IIS) includes details of how to get a server certificate and then use it to set up SSL. Note that provided that your users are not entering or viewing any confidential information through your application, you only need to protect the sign-in page with SSL. Once the user has signed in, the encryption provided by ASP.NET by default will protect the user’s subsequent requests. Of course, if you include a sign-in control on several pages, you will need to protect all those pages. Building a Reusable Sign-in Control The standard way to do sign-in in ASP.NET applications that use forms authentication is to provide a sign-in Web form to which users are redirected when they attempt to access a page that they are not authorized to view (based on the settings in the section of the configuration file). However, many Web applications do not divide features for authenticated and anonymous (non-authenticated) users into separate Web forms; instead, they display addi- tional features for authenticated users on the same Web forms that all users see. For example, a forum application might allow all users to view posts but allow only authenticated users to reply to posts or start new threads. In situations like this, it makes a lot of sense to include sign-in controls as part of the overall page structure of the application. This section shows an example of a user control you can build to show sign-in controls for anonymous users and other controls for authenticated users. This example simply shows a welcome message and a sign-out link, but you could use the ideas presented in this example for all sorts of application-specific options. When the user is not signed in, the control looks as shown in Figure 13.1. When the user is signed in, the control looks as shown in Figure 13.2.
  13. Building a Reusable Sign-in Control 501 FIGURE 13.1 A sample sign-in control, when the user is not signed in. FIGURE 13.2 A sample sign-in user control, when the user is signed in.
  14. 502 13 Taking Advantage of Forms Authentication Listing 13.1 shows the code for the .ascx file of a simple sign-in control. LISTING 13.1 .ascx Code for the Sample Sign-in Control Username: Password: Sign In
  15. Building a Reusable Sign-in Control 503 LISTING 13.1 Continued Welcome back, [username] Sign Out The control is composed of two elements, which are set to runat=”server” so that you can make them visible or invisible, depending on whether the user is signed in. Standard elements are used rather than controls because server-side access is only required in order to set the visibility. Using the Web control table would mean creating server-side table row and table cell controls and would require extra overhead. Note that you include RegularExpressionValidator controls for both the username and the pass- word input controls. In both cases, you set up the regular expression to accept only alphanu- meric characters and require the input to consist of between 5 and 20 characters. RegularExpressionValidator as a Validation Tool The regular expression used here, If you are not familiar with regular expression [a-z|A-Z|0-9|]{5,20}, has a group (marked by syntax, you really should learn it. []) which will match to a character that falls RegularExpressionValidator is an excel- into any of the three ranges defined within it, lent validation tool, and it is just the tip of the followed by the minimum and maximum iceberg for using regular expressions—they number of characters (marked by {}). If you are great for all kinds of text matching and wanted to allow any number of characters, processing tasks. you would replace the {5,20} with *. There is lots of information in the .NET Framework documentation. For some reason, The CausesValidation attribute of each the JScript .NET section of the documentation LinkButton control is set to False. This might has a particularly good guide to the syntax seem strange, considering that you have and usage of this powerful pseudo-language. included validators, but it will become clear A search for “regular expressions” will provide shortly. links to all the relevant sections.
  16. 504 13 Taking Advantage of Forms Authentication BEST PRACTICE Validating User Input You should always validate users’ input to your application to ensure that it contains what you expect it to contain. Getting into the habit of validating every input is a great way to prevent problems due to unexpected inputs. A couple common attacks are made against Web applications that are best prevented through vali- dation of all input. Script injection (the addition of malicious JavaScript code in an attempt to get it displayed by the application and thus run by your visitors’ browsers) is stopped dead by the preven- tion of the characters it needs from being entered. Similarly, SQL injection, where malicious SQL code is entered in an attempt to have your database execute it, is prevented by good validation. Both script injection and SQL injection can be prevented in other ways (indeed, ASP.NET now has a default defense against the inputting of harmful code), but it is always wise to defend in depth—that is, to protect your application at every stage rather that rely on a single defense. Good validation across the board has other advantages, too. Providing users with feedback on what they are doing wrong is a great way to help them with any difficulties they may have. The code-behind file shown in Listing 13.1 includes declarations for the two server-side elements that are used: Public Class SignIn Inherits System.Web.UI.UserControl Protected WithEvents AnonymousControls As System.Web.UI.HtmlControls.HtmlTable Protected WithEvents AuthenticatedControls As System.Web.UI.HtmlControls.HtmlTable The control is initialized with a simple Page_Load event handler: Private Sub Page_Load(ByVal sender As System.Object, _ ByVal e As System.EventArgs) _ Handles MyBase.Load ‘check whether the user is authenticated If Request.IsAuthenticated Then ‘the user is authenticated, so display the authenticated controls AnonymousControls.Visible = False AuthenticatedControls.Visible = True ‘populate the username display UsernameLabel.Text = Context.User.Identity.Name Else ‘the user is not authenticated, so display the anonymous controls AnonymousControls.Visible = True AuthenticatedControls.Visible = False End If End Sub
  17. Building a Reusable Sign-in Control 505 The interesting stuff happens in the event handler for the Click event of the SignInLinkButton control: Private Sub SignInButton_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) _ Handles SignInButton.Click Dim valid As Boolean = True Dim c As Control Dim v As BaseValidator ‘loop through all validators on the page For Each v In Page.Validators ‘check whether the validator is attached to this user control If Not Me.FindControl(v.ControlToValidate) Is Nothing Then ‘validate the control v.Validate() ‘check whether the control validated successfully If Not v.IsValid Then Response.Write(v.ID) ‘if it did not validate, set valid to false valid = False End If End If Next ‘only proceed with sign in if the controls on this user control are valid If valid Then ‘authenticate the user against the credentials stored in the web.config ‘if you use a different credentials store, check against that here If FormsAuthentication.Authenticate(UsernameTextBox.Text, _ PasswordTextBox.Text) Then ‘set the authentication cookie FormsAuthentication.SetAuthCookie(UsernameTextBox.Text, False) ‘refresh the page Response.Redirect(Request.Url.PathAndQuery) End If End If End Sub Note that this code assumes that the System.Web.Security namespace has been specified using an Imports statement (in C#) at the top of the code file.
  18. 506 13 Taking Advantage of Forms Authentication The first part of this code performs validation for all the validators that are attached to controls that are in this user control. This is why the CausesValidation property of the SignInButton control was set to False: You are calling the Validate methods of the validators rather than having ASP.NET do it automatically when the LinkButton controls are clicked. You call the Validate methods of the validators because you do not want the sign-in control to be affected by the validation states of controls that are outside the user control. If you used the standard approach, a failed validation anywhere on the page would prevent the sign-in control from signing the user in, even if the username and password TextBox controls were valid. This is a problem for any user control that you want to operate independently of other parts of the page because ASP.NET groups all validators into a single collection under the Page object. You could explicitly call the Validate methods on the two validators, but we thought it would be worth showing some general code that can be added to any user control to perform limited validation for the controls it contains. This approach will have a very slight performance impli- cation, but it also means that any changes to the validation controls will be automatically reflected in the validation code. After performing validation, you check the valid variable to ensure that no validators failed vali- dation and, if everything is fine, you check the user’s credentials. For simplicity, the standard web.config file credentials store is used in this example, but you can insert your own credentials check code to check against whatever store you like. If the credentials are okay, you set the authentication cookie with the following code: FormsAuthentication.SetAuthCookie(UsernameTextBox.Text, False) At this point, this code differs from the standard forms authentication login page code. Rather than use the FormsAuthentication.RedirectFromLoginPage method, it uses the SetAuthCookie method, which sets the authentication cookie but does not do a redirection. You want to refresh the page after setting the cookie, so you redirect the user back to the same page and query string: Response.Redirect(Request.Url.PathAndQuery) Hashing Passwords These days, most decent applications do not store their users’ passwords as plain text. You have to assume that because nothing is 100% secure, there is a chance that an application will be compromised and the credentials, however they are stored, may be stolen. In a small application, this might not be a huge problem in comparison to other issues that arise when security is breached; the users’ passwords can be reset in order to render the stolen passwords useless. But imagine trying to do this for an application with more than a handful of users—it would be a nightmare!
  19. Hashing Passwords 507 There is way to mitigate the risk of passwords being stolen. By using a technique called hashing, you can store encrypted passwords, rather than plain-text passwords, in your credentials store. Hashing is also known as one-way encryption because after you have created a hash from a pass- word, it is not practical to work back the other way and recover the password. If someone steals the hashed passwords, they will be of no use in further compromising the system. Another advantage of using hashed passwords is that, with the passwords hashed, it is a lot harder for an administrator to pretend to be another user; he or she cannot simply read the password from the database and use it to sign in. This helps to ensure that actions apparently carried out by a particular user really were done by that user. Forms authentication has support for password hashing built in, through the FormsAuthentication. HashPasswordForStoringInPasswordFile method and the passwordFormat attribute of the section of the web.config file. In order to use hashed credentials in the web.config file, you need a way to generate the hashes. The following is the button click event from the code-behind file for a simple Web form that has a text box, a button, and two labels on it to accept a password and generate hashes in the two formats that ASP.NET can use: Private Sub GenerateHashes_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) _ Handles GenerateHashes.Click MD5Label.Text = “MD5: “ + _ FormsAuthentication.HashPasswordForStoringInConfigFile _ (PasswordTextBox.Text, “MD5”) SHA1Label.Text = “SHA1: “ + _ FormsAuthentication.HashPasswordForStoringInConfigFile _ (PasswordTextBox.Text, “SHA1”) End Sub Note that if you do not use the Visual Studio .NET designer to create the form, you need to add declarations to the code-behind file for the GenerateHashes control (a Button control) and the MD5Label and SHA1Label controls (both Label controls). When you have a hashed password, you simply need to include it in the web.config file’s section and set the passwordFormat attribute. The following example uses an SHA1 hash: With this hash in place, the FormsAuthentication.Authenticate method will now automatically hash the password the user has entered before comparing it to the value stored in the configura- tion file.
Đồng bộ tài khoản