Log-In Control and State

ASP.Net
 Stateless Web

 One of the difficulties of Web programming is that it takes place

in a stateless environment.
 That is, information that is generated on one page is not
normally accessible by any other page.
 When navigating from one page to the next, all knowledge of the
previous page is lost.
 Neither the browser nor the server retains any information
associated with the previous page.
 Each page access occurs as if it were the first time it has ever
happened.
 Since the processing "states" of Web pages are not normally
maintained between page navigations, it introduces difficulties in
coordinating processing work between pages;
 thus, the introduction in ASP.NET of View States, Sessions, and
other methods to "maintain state" between pages.
 Some Solutions

 This problem of sharing information between pages

of a Web site has been attacked in several ways in
the past.
 Browser cookies are one way of saving information
from one page to make it accessible by another
page.
 Small amounts of data can be written from a page to
a cookie file on the local computer and then retrieved
from that same computer by a different page.
 However, cookies are limited in the amount of
information that can be saved to the browser for later
retrieval.
 …also, some clients may disable cookies on their
machines..
 Form Submission

 In a similar way, Web forms have been used

to collect information on one page to pass
along to a second page, often through
"hidden" fields of data and control
information.
 Although form submission is the primary
technique for gathering user data for
processing, it involves extra, and often times
unnecessary, coding overhead to simply
maintain state between pages
 ASP.Net however, uses form control as a
mechanism for data transfer between pages
Scene set!
Scene set2
 Session Variables

 Our goal is to create a variable that you can

use throughout your site, passing it from one
page to the next
 In order to achieve this ASP.Net has a
number of built-in objects
 Request and Response being prime
examples of these.
 Two other objects that all ASP scripts have
access to are Application and Session, and it
is these special objects that let us store data
that will be accessible by all ASP.Net scripts
in the current Web application.
 The Application Object

 Whereas every page request gets its own Request

and Response objects, all requests for ASP.Net
pages in a Web application share the same
Application object.
 This object is created the first time an ASP page is
requested from the application after the Web server
starts up, and is destroyed when the Web server
shuts down, or when the Web application is unloaded
manually in the IIS management console.
 Because this object persists from one page request
to another, it can be used to store data that you want
to share with all other pages in your application.
 To store a value in the application object, simply use
the following syntax:
 Application("varName") = value
 Accessing Application variables
 You can then access that stored value as you would a regular variable,
except as Application("varName"). A simple use of the Application
object would be for a hit counter. You could record the number of hits
your Website has received as Application("hits"), and increment that
value with each page request. Here's the basic code involved:

<html>
<head>
<title> Simple counter </title>
</head>
<body>
<p>Page requests:
 <%
 Application.Lock
 Application("hits") = Application("hits") + 1
Response.Write(Application("hits"))
 Application.unlock
%>
 </p>
</body>
</html>
 Application Lock

 The call to Application.Lock waits for any

other processes to finish accessing the
Application object, before locking access to it.
 This forces other clients to wait until the call
to Application.Unlock before they can read or
write the stored values again.
 This effectively prevents the occurrence of
mix-ups where 2 browsers laod this page at
the same time
 The Session Object

 The Session object is very similar to the

Application object, as it allows you to store
values that are shared between all the pages
of your site.
 The main difference between the two is that,
where a single Application object is shared by
all pages and all clients that access your site.
 However, for a Session object, each client
(browser) is assigned its own Session object.
 Typical use of session variable

 A typical use of the Session object is to store

a user's shopping cart on an online shopping
site.
 Obviously it doesn't make sense for all your
users to share a single shopping cart, so the
fact that each user gets a Session object of
his or her own fits the bill precisely.
 Also, it can be used to prevent unauthoruised
access to a Web page??
 ASP Sessions and Applications - The global.asax File

 global.asax is a special file that you can

create in the root directory of your Web
application.
 It specifies the actions to be taken in
response to four events:
 Application start (Application_OnStart)
 Application end (Application_OnEnd)
 Session start (Session_OnStart)
 Session end (Session_OnEnd)
 The On_Start Methods

 Application_OnStart can be used to set up

initial values for application variables, or
perhaps to restore some saved information
from the last time the Web server was run, by
loading it from a file or database.
 Application_OnEnd, meanwhile, is generally
used to clean up any open resources, and
save information that will be needed the next
time the Web application is started.
 Session_OnStart and Session_OnEnd
perform similar functions for user sessions.
A Typical Global.asax file
 A Quick demo

 Suppose that you have the following site structure

 Page1 – hit counter plus simple log-in ( just some name
will do)
 Page 2 – Checks if the user entered a name or else user
is re-directed to login page
Login Page
The Second (Restricted) Page
 Some Issues

 Note that a user who has not entered a user

name cannot get into page 2
 Also, if the URL for page 2 is typed directly
into the browser, the user is immediately re-
directed to the log-in page
 Creating Log-in Controls Manually

 This can be an arduous task – that is why

membership controls are better
 However, it is nice to know how to do log-in
controls manually
 First create a SQL Server table of user
names and passwords
 Using the ASP.Net Page Template

 Rearrange the site master so that the page

resembles…

 The idea is that access to the private pages is

restricted…to do this is quite simple
 Write the code for the Page_Load event handler of
the web page so that it will only load if it can find
the value of a Session variable that you control
 The Page Load Event of the Private Page

 The protection code for restricted web page is

quite simple …it goes something like..

 The session variable is created in the

Global.asax file of the entire web application
The Global File
 So now you would like to log-in!

 The log-in page consists of 2 textboxes and a

button that triggers querying of the database
to check if the username and password exists
 It basically does a search on the database
and returns a single row of data if a
username and password match is found
 If a match is found, you have to set the
session variable’s value (which is currently
nothing) to the username value returned from
the textbox
 Once this Session is set, it will allow you entry
into the Private Page
 The Login Page

 A Sql DataSource is used to take the

username and password as parameters into
the database
 The row that is returned is bound to a
DetailsView
 If the Detailsview has more than zero rows, it
mean that there is a username and password
match …in which case the user is allowed to
enter the Private Page
The Main Action is on the Site Master
 To Use the Membership suite or not!

 The Membership suite of controls

 Allows you to forget about the harshness of
maintaining state
 It presents you with an automatic updated
view of the log-in status of the user
 It does however, create a problem when
linking the user’s credentials to the business
database
 If you go for the manual version, then
 You will have better control in terms of linking
with the actual business
 However, there will be much more
programming required …can get quite messy!