AACS4134 Internet Programming

Tutorial 5
1. Imagine you have a web site that features a Login page with a single Login control. What change to the Login control do you need to make to send users to MyProfile.aspx in the root directory after they log in? <asp:Login ID=Login1 runat=server DestinationPageUrl=~/MyProfile.aspx> When a user is logged in successfully, she is taken to MyProfile.aspx automatically. 2. What is the difference between the LoginView and LoginStatus controls? LoginStatus simply displays a simple text that indicates whether the user is logged in or not. By default the text that is displayed is Login when the user is currently not logged in, and Logout when the user is already logged in. Clicking the links either sends the user to the default Login page, or logs the user out. LoginView is somewhat similar in that it displays different content depending on whether the user is currently logged in. However, because the control is completely template driven, you can fully control the content that is displayed. It consists of LoggedInTemplate and AnonymousTemplate to display different contents to user depending on the user status. To enable you to differentiate between different user roles, you can use the RoleGroups element to set up templates that are only shown to users in specific roles. 3. What is the difference between authorization and authentication? Authentication: The process of checking whether users are who they claim to be. The process of authentication involves requesting details (such as a user name and password and maybe even a zip code or mother's maiden name) from a user. These details are then checked against a relevant authority, such as a database or a Windows domain server. .Authorization: The process of granting a user (or a group of users) the permission to use a resource, or denying them access to a resource or a group of resources. 4. How Forms-Based Authentication work? Implementing Form-Based Authentication Uses Cookies When a user logs into your Web application using forms-based authentication, ASP.NET issues an authentication cookie that will be sent back and forth between the server and the client during the ensuing Web requests. is easy to implement. All you have to do is create a configuration file (web.config), a login page to accept (and then verify) the credentials from the user, and a default page where you'll display the content you wish to restrict.

Chapter 5 Membership and Role Management

AACS4134 Internet Programming

5. Right now the Management folder is blocked for all users except those in the Managers role. What change do you need to make to the web.config file if you want to open up the folder for the user John and all people in the Editors role? <authorization> <allow roles="Managers, Editors" /> <allow users="John" /> <deny users="*"/> </authorization> 6. Generally it is best to manage users through roles as much as possible. Do you agree? Explain your answer based on the scenario in question 6. It depends on situation. If the user is under a particular role, then it is best to assign the user to be in the role in order to grant the privilege. However, you may end up giving more rights than you want if a user is assigned to a role. According to the scenario in question 6, assuming John is a manager, then it would be appropriate to add John to the Managers role. However, if John is not either a manager or editor, then it would be better to grant individual access. 7. Considering there are 2 different roles in a Web application: admin and staff. Staff is not allowed to access the pages in the folder named admin_folder; whereas admin is allowed to view all pages in the application. In addition, you also consider not allowing unauthenticated users to access the files in the admin_folder. If the unauthenticated users attempt to access any file from the admin_folder, they will be redirected to Login.aspx page. Demonstrate how the above can be done by inserting the necessary code in the Web.Config file. This code will be put inside the Web.Config file in the main project folder. <roleManager enabled="true" /> <authentication mode="Forms" /> This code will be put inside the Web.Config file in the admin_folder. <authorization> <allow roles="admin" /> <deny users="*"/> </authorization>

Chapter 5 Membership and Role Management