if exists (select * from sysobjects where id =
object_id(N'[dbo].[Users]') and OBJECTPROPERTY(id, N'IsUserTable') = 1)
drop table [dbo].[Users]
GO
CREATE TABLE [dbo].[Users] (
[uname] [varchar] (15) NOT NULL ,
[Pwd] [varchar] (25) NOT NULL ,
[userRole] [varchar] (25) NOT NULL ,
) ON [PRIMARY]
GO
ALTER TABLE [dbo].[Users] WITH NOCHECK ADD
CONSTRAINT [PK_Users] PRIMARY KEY NONCLUSTERED
(
[uname]
) ON [PRIMARY]
GO
INSERT INTO Users values('user1','user1','Manager')
INSERT INTO Users values('user2','user2','Admin')
INSERT INTO Users values('user3','user3','User')
GO
Private Function ValidateUser(ByVal userName As String, ByVal passWord As String) As Boolean
Dim conn As SqlConnection
Dim cmd As SqlCommand
Dim lookupPassword As String
lookupPassword = Nothing
' Check for an invalid userName.
' userName must not be set to nothing and must be between one and 15 characters.
If ((userName Is Nothing)) Then
System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.")
Return False
End If
If ((userName.Length = 0) Or (userName.Length > 15)) Then
System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.")
Return False
End If
' Check for invalid passWord.
' passWord must not be set to nothing and must be between one and 25 characters.
If (passWord Is Nothing) Then
System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.")
Return False
End If
If ((passWord.Length = 0) Or (passWord.Length > 25)) Then
System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.")
Return False
End If
Try
' Consult with your SQL Server administrator for an appropriate connection
' string to use to connect to your local SQL Server.
conn = New SqlConnection("server=localhost;Integrated Security=SSPI;database=pubs")
conn.Open()
' Create SqlCommand to select pwd field from the users table given a supplied userName.
cmd = New SqlCommand("Select pwd from users where uname=@userName", conn)
cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25)
cmd.Parameters("@userName").Value = userName
' Execute command and fetch pwd field into lookupPassword string.
lookupPassword = cmd.ExecuteScalar()
' Cleanup command and connection objects.
cmd.Dispose()
conn.Dispose()
Catch ex As Exception
' Add error handling here for debugging.
' This error message should not be sent back to the caller.
System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " & ex.Message)
End Try
' If no password found, return false.
If (lookupPassword Is Nothing) Then
' You could write failed login attempts here to the event log for additional security.
Return False
End If
' Compare lookupPassword and input passWord by using a case-sensitive comparison.
Return (String.Compare(lookupPassword, passWord, False) = 0)
End Function
Private Sub cmdLogin_ServerClick(ByVal sender As Object, ByVal e As System.EventArgs) _
Handles cmdLogin.ServerClick
If ValidateUser(txtUserName.Value,txtUserPass.value) Then
FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _
chkPersistCookie.Checked)
Else
Response.Redirect("logon.aspx", True)
End If
End Sub
Private Sub cmdLogin_ServerClick(ByVal sender As Object, _
ByVal e As System.EventArgs) Handles cmdLogin.ServerClick
If Validateuser(txtUserName.Value,txtUserPass.Value) Then
Dim tkt As FormsAuthenticationTicket
Dim cookiestr As String
Dim ck As HttpCookie
tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now(), _
dateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data")
cookiestr = FormsAuthentication.Encrypt(tkt)
ck = new HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
if (chkPersistCookie.Checked) then ck.Expires=tkt.Expiration
ck.Path = FormsAuthentication.FormsCookiePath()
Response.Cookies.Add(ck)
Dim strRedirect As String
strRedirect = Request("ReturnURL")
If strRedirect <> "" Then
Response.Redirect(strRedirect, True)
Else
strRedirect = "default.aspx"
Response.Redirect(strRedirect, True)
End If
Else
Response.Redirect("logon.aspx", True)
End If
End Sub
Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) _
Handles cmdSignOut.ServerClick
FormsAuthentication.SignOut()
Response.Redirect("logon.aspx", True)
End Sub
Because the user is identified based on the authentication
cookie, you may want to use Secure Sockets Layer (SSL) on this application so
that no one can retrieve the authentication cookie and any other valuable
information that is being transmitted.
Forms-based authentication requires that your client accept
or enable cookies on their browser.
Thetimeout?? ????????<authentication></authentication>configuration section controls the interval at which the
authentication cookie is regenerated. You can choose a value that provides
better performance and security.
Certain intermediary proxies and caches on the Internet may
cache Web server responses that contain Set-Cookie headers, which are then
returned to a different user. Because forms-based authentication uses a cookie
to authenticate users, this can cause users to accidentally (or intentionally)
impersonate another user by receiving a cookie from an intermediary proxy or
cache that was not originally intended for them.
For information about implementing simple forms-based
authentication by using the<credentials></credentials>section to store users and passwords, see the following article
in the ASP.NET QuickStart samples:
For information about implementing forms-based authentication by
using an Extensible Markup Language (XML) file to store users and passwords,
see the following topic in the .NET Framework Software Development Kit (SDK)
documentation:
????? ?? ???? ????
