Drill Down on Authentication (Continued)

The question mark is a wildcard character that matches all anonymous users. Including this rule in your web.config file specifies that anonymous users aren't allowed. Every user must be authenticated, and every user request will require the forms authentication ticket (which is a cookie). If you request a page in the application directory now, ASP.NET detects that the request isn't authenticated and attempts to redirect the request to the login page (which will probably cause an error, unless you've already created this page).

Note that the <authorization> element isn't limited to the web.config file in the root of the web application. Instead, you can use it in any subdirectory, thereby allowing you to set different authorization settings for different groups of pages.

The next step is to create a custom login page. This page collects a user name and password from the user and validates it against the credentials stored in the credential store. If you store the credentials in web.config, this is extremely easy (see Figure 1).

Note that this page also contains some validation controls (not visible). Such controls let the user enter only valid values for a user name and a password. This code lets you see all the controls contained on the login page (see Listing 1).

Supply Validation Controls
The validation controls serve two purposes. First, the RequiredFieldValidator controls ensure that both a user name and password are entered in a valid format containing only the characters allowed for user names and passwords. Second, the RegularExpressionValdiator controls ensure that only valid values are entered in the User Name text field and in the Password text field. For example, the user name may contain letters, digits, and spaces only:

ValidationExpression="[\w| ]*"

The \w character class is equivalent to [a-zA-Z_0-9], and the space afterward allows spaces in the user name. The password, for example, may also contain special characters:

ValidationExpression='[\w| !"§$%&/()=\-?\*]*'

You use the single quote for enclosing the attribute value because this uses the double quote, as the allowed special character. Furthermore, the attribute is contained in the tag code (and therefore the HTML entity), so & indicates that the ampersand (&) character is allowed in the password. The validation controls let you stop users from entering values for the user name or the password that would lead to a SQL injection attack. In addition to using parameterized SQL queries, you should always use validation controls to mitigate this type of attack in your applications.

The last step for creating the login page is to write the code for validating the credentials against the values entered by the user. You have to add the necessary code to the Click event of the login button:

protected void LoginAction_Click(object sender, EventArgs e)
{
Page.Validate();
if (!Page.IsValid) return;

if (FormsAuthentication.Authenticate(
UsernameText.Text, PasswordText.Text))
        {
// Create the ticket, add the cookie to the 
//response, and redirect to the originally
// requested page
FormsAuthentication.RedirectFromLoginPage(
UsernameText.Text, false);
        }
else
        {
// User name and password are not correct
LegendStatus.Text = 
"Invalid username or password!";
        }
}

Forms authentication uses standard HTML forms for entering credentials, so you send the user name and password over the network as plain text. This is an obvious security risk—anyone who intercepts the network traffic can read the user names and passwords that are entered into the login form. For this reason, it's strongly recommended that you encrypt the traffic between the browser and the server using SSL (as described in Chapter 19), at least while the user is accessing the login page.