Security Briefing

DWMX has no built in support for adding security to ASP.NET pages. The ASP.NET platform, however, has built in forms authentication for securing websites. This authentication is defined in the XML of the web.config like so:

<system.web>
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="admin/login.aspx">
<credentials />
</forms>
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>

This type of security secures the entire website. On login the visitor is redirected to page originally requested or the site’s home page. But we don’t really want to secure the entire application. We just don’t want anyone to get into the admin section. The first thing we have to do is change the word "deny" to allow in root directory web.config. Now our visitors can get into the site. Next create a new web.config file and save it to the admin folder so we can set separate security settings on that folder.

Enter the following in the new web.config:

<configuration>
<system.web>
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Notice that the new web.config has only the security settings for the admin folder. All other settings are inherited from the root web.config. Web.config settings have a top down hierarchy. You might think of them as cascading like style sheets.

Open a new file and save it as “/admin/login.asp.” Add a form, two asp:text controls and an asp:button control. Name the first asp:text control User_Name and the second User_Password. Add the form field validation as before and save your file. Now we need to figure out some way to check the database records for matching User_Name/User_Password combinations and—if it finds them—set the Admin session variable state to true. One method comes to mind immediately. When the user submits his login, the dataset returns empty if a matching username/password combination is not found. If a match is found the record count returns a postive number. So all we need to do is check to see if the query returns a record and if it does throw the admin flag.

We’ll need a dataset with the following query. We’ll also need to build the parameters to collect the form values submitted. Basically we are building a search page, so we will be using the same techniques we have used to build search pages in Classic ASP. The query will look like so:

SELECT * FROM tbl_Admin WHERE tbl_Admin.User_Name = @User_Name And tbl_Admin.User_Password = @User_Password

We need to add the two parameters to pass the values from the login form to the query. Click the “+”  sign at the parameters window and the “Add Parameters” dialog will open. Enter “@User_Name,” select the type as “VarChar.” Next click the “Build” button and the “Build Value” dialog will open. The parameter “@User_Name” will already be in the “Name” field of the “Build Value” dialog. Select “Form Variable” from the drop down “Source” and enter “xyz” into the “Default Value” text field. When you are done it should look like the image below. Click “OK.” When you return to the first window, you’ll see the properly formatted request.form code. Follow the same steps to add the “@User_Password” parameter. After you’ve added the parameters, click “OK” twice to return to the design environment.

Now that we have the dataset and dataset search parameters defined, we need to test our results to authenticate or deny access to the user. For this we will need to do a little hand coding. We can to use a simple if then statement to test the record count returned from our search. If the record count is zero, we don’t authenticate the user. Otherwise we grant access to the admin section.

<%
if ds_login.RecordCount > 0 then
FormsAuthentication.RedirectFromLoginPage("Admin", true)
else if ((Request.Form("User_Password"))) <> Nothing OR ((Request.Form("User_Name"))) <> Nothing
response.Write("Login failed. Please try again.")
end if
%>

As you can see this code is quite simple.