Simple Forms Authentication Example using ASP.NET Configuration Tool
It is very simple and easy to create Forms-Based authentication in ASP.NET web application with the ASP.NET Configuration tool that is installed along with Visual Studio IDE. There are many other features for which this tool can be used such as application management, provider configuration, etc., but I am going to explain only the security configuration part of it. This tool enables you to implement simple and role-based authentication in a few steps without having to write all the configuration code yourself.
To explain this I am going to create a ASP.NET web application (not the empty asp.net web application) which has some of the security features already implemented in it. Since my aim is to only explain the implementation of forms authentication using ASP.NET web configuration tool that will automatically generate all configuration code for you, I am using the default ASP.NET web application which already has the login page and register page with necessary login server controls.
Steps to Implement Forms Authentication in ASP.NET
1. To start with, Create an ASP.NET website in Visual Studio Web Developer Platform. Open File Menu -> New Project -> ASP.NET Web Application. I have named it as "ConfigureAuthenticationDemo1".
2. After creating the project, go to Solution Explorer, you can see something called "App_Data". This is the default database store where you can add your sql database that contains user information or use the default sql database that ASP.NET provides to store user information. I am going to use the default sql database ASP.NET that gets created automatically when we use any of these login services .
To do this, simply build the project and in the browser click on "Log In" link at the right corner of the page to redirect to the login page. Since you do not have registered users for your application simply click on the "Register" button in the login page and create an user account by filling the registration form with appropriate details. I have created an account with the username 'test'.
Once you have created an account, a default sql database is created at the background which stores the user related information. To view the contents of this database, go to Solution explorer, Select "App_data" and click on "Show All files" icon present at the top of solution explorer. You will now see ASPNETDB.MDF created for you in the App_data folder.
Now right click on "ASPNETDB.MDF" and select "Include in Project" option to use this database to configure access levels for users.
3. Now we are all set to use the ASP.NET Configuration tool to create users and access rules to manage user accounts.
In the Main Menu , Go to Project -> Click on ASP.NET Configuration tool,
You will now be able to see the tool launched in your default browser. Go to "Security" tab on the top navigation and Click on 'Manage user' link where you will find the user you have already created using the registration page. You can now edit the user details or delete the user account on clicking the 'edit user' and 'delete user' link shown in the below screenshot. You can also create user accounts here using 'create user' link. I am going to create another user account with username as 'test1'.
4. Now let us go ahead and create some user roles, say for example "Admin". We are going to create a secure page that will be visible only for those users who are tagged to the role "Admin". To do this you need to create "Admin" role first, so go to Security tab again in the configuration tool and Click on 'Enable role' link. Now you will see two options, one is 'Disable Roles" and the other is 'Create or Manage Roles'. Click on 'Create or Manage Roles', type 'Admin' in the text box near 'New Role name' label. Then Click on 'Add Role" button and you are done with the role creation.
5. To map users to admin role, navigate to Security -> Manage users. You will now see two user accounts created for this web application. I am going to map the 'test' account to the 'Admin' role and leave the 'test1' account as such without mapping to any role. To do this, click on 'Edit Roles' link and check the checkbox near 'Admin' role.
6. Next step is to create a folder in the project and include pages that needs to be accessible only to the users mapped to the 'Admin' role and to be inaccessible to all other users who are not tagged to the Admin role.. In this example I have created a folder called "Secured" and a web page named as "Secured.aspx".
7. Now the last step is to create access rules that actually tells the system to allow only the users who are tagged to 'Admin' role to access the secured page. To do this, launch ASP.NET Configuration Tool again and click on 'Create access rules' link in the security tab. Navigate to the folder you want to secure, in this case navigate to "Secured" folder.
a. Click on the 'Role' in 'Rule applies to' section and select "Allow" on the permission section. This will allow the users who are tagged to 'Admin' role to view the secured page.
b. Click on the 'All users' in 'Rule applies to' section and select "Deny" on the permission section. This will restrict all other users irrespective of whether they are logged in or not to access the secured page.
Please see screenshot below for reference.
Now Click on 'Manage Access rules' to see the user access rules created.
8. Thats it ! We are done with the implementation of Forms_Authentication without writing any code manually, but with a few settings using ASP.NET configuration tool which generated the code for us at the background.
When you run this project, you will see that whenever you go to the Secured.aspx page it redirects you to the login page if you are not already logged in using the "Admin" account ( in this case the user is 'test'). If you want to see how it works, please download the project from the link below and execute it yourself.
To execute it and verify forms authentication implementation, run the solution and navigate to Secured menu from the top navigation which will redirect you to the login page. We have two accounts already created with the below credentials,
Account with no role:
You should be able to login with the admin account and see the Secured page content whereas if you try to login with 'test1' account you will be again redirected to the login page.
On successful login with test account, you will see this page,
You can also create more users and roles on your own and test it to understand this better.
I hope this post helped you to implement simple forms based authentication in your asp.net web application. Please leave your comments and queries about this post in the comment sections in order for me to improve my writing skills and to showcase more useful posts. Thanks for reading this!!