Exercise 1: Create PublicPage.aspx Use Notepad or the text editor of your choice to create a text file named PublicPage.

aspx in your PCs \Inetpub\wwwroot directory. Then add the following text to create a simple Web form:
<html> <body> <h1>Public Page</h1> <hr> <form runat="server"> <asp:Button Text="View Secret Message" OnClick="OnViewSecret" RunAt="server" /> </form> </body> </html> <script language="C#" runat="server"> void OnViewSecret (Object sender, EventArgs e) { Response.Redirect ("Secret/ProtectedPage.aspx"); } </script>

Exercise 2: Create ProtectedPage.aspx Create a new directory named Secret in \Inetpub\wwwroot. In it, create a text file named ProtectedPage.aspx and enter the following code:
<html> <body> <h1>Protected Page</h1> <hr> <br> Be careful investing your money in dot-coms.

</body> </html>

Exercise 3: Test Test what youve done so far by opening PublicPage.aspx in your browser and clicking the View Secret Message button. In response, ProtectedPage.aspx should be loaded and should display a secret message for you. Exercise 4: Create Web.config Create a text file named Web.config in \Inetpub\wwwroot and enter the following statements:
<configuration> <system.web> <authentication mode="Forms"> <forms loginUrl="LoginPage.aspx"> <credentials passwordFormat="Clear"> <user name="Jeff" password="hawkeye" /> <user name="John" password="redrover" /> </credentials> </forms> </authentication> <authorization> <allow users="?" /> </authorization> </system.web> </configuration>

The <authentication> section of this configuration file enables forms authentication, designates LoginPage.aspx as the page that users must go through to get to protected resources, and defines two sets of login credentials. The <authorization> section grants anonymous users access to all parts of this site that dont specify otherwise. Exercise 5: Create LoginPage.aspx Create a text file named LoginPage.aspx in \Inetpub\wwwroot and enter the following statements:
<html> <body> <h1>Please Log In</h1> <hr> <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr>

<td> RunAt="server" /> </td> <td> </td>

<asp:Button Text="Submit" OnClick="OnSubmit"

</tr> </table> </form> <hr> <h3><asp:Label ID="Output" RunAt="server" /></h3> </body> </html> <script language="C#" runat="server"> void OnSubmit (Object sender, EventArgs e) { if (FormsAuthentication.Authenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; } </script>

This page displays a simple login form that accepts a user name and password. Clicking the Submit button activates OnSubmit, which uses the Authenticate method of the FormsAuthentication class (a member of the .NET Framework Class Librarys System.Web.Security namespace) to authenticate the supplied user name and password against the credentials defined in the <credentials> section of Web.config. If the login is approved, FormsAuthentication.RedirectFromLoginPage is called to send the user to the page protected by the login page. Exercise 6: Test Verify that the application still works as it did before by opening PublicPage.aspx again and clicking the View Secret Message button. Because youve yet to restrict access to ProtectedPage.aspx, the secret message should appear in the browser window. Exercise 7: Create another Web.config file Create another text file named Web.config, this time in the Secret directory (\Inetpub\wwwroot\secret). Add the following statements to deny anonymous users access to files in this directory:
<configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration>

Exercise 8: Test Repeat the test you performed in Exercise 6 and verify that clicking the View Secret Message button causes your login page to appear (see below). Type Jeff into the User Name box and imbatman into the Password box. Then click Submit. Does the secret message appear? Why or why not? Finish up by entering the user name Jeff and the password hawkeye. Do you see ProtectedPage.aspx this time?

Exercise 9: Modify the top-level Web.config file Close Internet Explorer and reopen it (important!). Then delete the <credentials> section from the top-level Web.config filethe one in \Inetpub\wwwroot. Test the application again by clicking the View Secret Message button. Can you get past the login page? Exercise 10: Create an authentication database While its perfectly possible to secure ASP.NET applications using credentials stored in Web.config, doing so isnt very realistic unless you plan to authorize access to only a small number of users. In the real world, it makes sense to store authentication data in a database, and to write the login page so that it authenticates against the database rather than against Web.config. To that end, open a command prompt window, go to the folder where Weblogin.sql is stored, and type
osql U sa P i weblogin.sql

This command executes the script found in Weblogin.sql, which creates a new SQL Server database named WebLogin. Inside the database is a table named Credentials that contains the following records: UserName Jeff John Password hawkeye redrover

Before proceeding, use the SQL Server Query Analyzer (or the tool of your choice) to verify that the database was properly created and initialized. Note: Weblogin.sql assumes that SQL Server is installed on drive C: on your PC. If you installed SQL Server on a different drive, open Weblogin.sql and edit the statement

FILENAME = 'C:\program files\...\weblogin.mdf'

to include the correct drive letter. Exercise 11: Add a CustomAuthenticate method and modify OnSubmit Add the following statements to the top of LoginPage.aspx:
<%@ Import NameSpace="System.Data" %> <%@ Import NameSpace="System.Data.SqlClient" %>

Then add the following method to the <script> block:

bool CustomAuthenticate (string username, string password) { SqlDataAdapter adapter = new SqlDataAdapter ("select password from credentials " + "where username = \'" + username + "\'", "server=localhost;uid=sa;pwd=;database=weblogin"); DataSet ds = new DataSet (); adapter.Fill (ds); DataTable table = ds.Tables[0]; foreach (DataRow row in table.Rows) { string pw = row[0].ToString ().TrimEnd (new char[] { ' ' }); if (String.Compare (password, pw, false) == 0) return true; } return false; }

Finally, modify the OnSubmit method so that it calls CustomAuthenticate instead of FormsAuthentication.Authenticate:
void OnSubmit (Object sender, EventArgs e) { if (CustomAuthenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; }

CustomAuthenticate uses ADO.NET to perform a database query and validate the user name and password provided to it. Exercise 12: Test Restart your browser again. Then test the application again by clicking the View Secret Message button and entering one of the sets of credentials included in the WebLogin database. Verify that you can once more get to ProtectedPage.aspx. Exercise 13: Try This Go back to PublicPage.aspx in your browser and click View Secret Message again. Verify that you go straight to ProtectedPage.aspx without having to enter a user name and password again.

Now close your browser and restart it. Open PublicPage.aspx and click the View Secret Message button. Because the authentication cookie issued to you when you logged in was a temporary one, youll have to log in again to get to the protected page. Exercise 14: Make the authentication cookie persistent When you pass FormsAuthentication.RedirectFromLoginPage a second parameter that equals false, like this:
FormsAuthentication.RedirectFromLoginPage (UserName.Text, false);

RedirectFromLoginPage issues a temporary cookie, or session cookie, that expires when the browser is closed. If you pass true instead, RedirectFromLoginPage issues a persistent cookie thats good for 50 years. Demonstrate by doing the following: 1. 2. 3. 4. 5. 6. Change RedirectFromLoginPages second parameter to true. Restart your browser and open PublicPage.aspx. Click the View Secret Message button and log in. Verify that the secret message is displayed. Close your browser. Restart the browser, open PublicPage.aspx, and click View Secret Message.

Because the cookie is now being cached on your hard disk, you shouldnt have to log in again in step 6. Finish up by doing the following: 1. 2. Use Internet Explorers Tools/Internet Options/General/Delete Cookies command to delete all the cookies on your PC. Open PublicPage.aspx and click View Secret Message.

This time, you will have to log in because when you deleted the cookies on your PC, you deleted the authentication cookie, too. Exercise 15: Let the user decide Add a Remember me check box to LoginPage.aspx that lets the user decide whether to make the authentication cookie persistent (if the box is checked) or temporary (if the box isnt checked), as shown below.

To add the check box, modify the form as follows:

<form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Submit" OnClick="OnSubmit"RunAt="server" /> </td> <td> <asp:CheckBox Text="Remember me" ID="RememberMe" RunAt="server" /> </td> </tr> </table> </form>

And, so that the check box will be honored, change the second parameter passed to RedirectFromLoginPage to RememberMe.Checked:
FormsAuthentication.RedirectFromLoginPage (UserName.Text, RememberMe.Checked);

Checked is a CheckBox property that indicates whether the box is checked (true) or unchecked (false). Exercise 16: Test Test the changes you made in Exercise 15 by verifying that: 1. If the Remember me button isnt checked and you restart your browser, you have to log in again to view ProtectedPage.aspx. If the Remember me button is checked and you restart your browser, you dont have to log in again to view ProtectedPage.aspx.

2.

Exercise 17: Personalize the secret message Modify ProtectedPage.aspx so that it prefaces the secret message with the users login name. Heres the modified file, with changes highlighted in bold:
<%@ Page Language="C#" %> <html> <body> <h1>Protected Page</h1> <hr><br> <% Response.Write (Context.User.Identity.Name + ": "); %> Be careful investing your money in dot-coms. </body> </html>

Exercise 18: Change the cookies expiration date Modify OnSubmit so that if Remember me is checked, the authentication cookie thats issued has a lifetime of 7 days instead of 50 years. The key is to replace the call to RedirectFromLoginPage with the following statements:
HttpCookie cookie = FormsAuthentication.GetAuthCookie (UserName.Text, RememberMe.Checked); cookie.Expires = DateTime.Now + new TimeSpan (7, 0, 0, 0); Response.Cookies.Add (cookie); Response.Redirect (FormsAuthentication.GetRedirectUrl (UserName.Text, RememberMe.Checked));

The first statement creates an authentication cookie; the second sets the cookies expiration date to one week from the current date; the third adds the cookie to the Response objects Cookies collection, ensuring that the authentication cookie will be returned in the response; and the fourth and final statement redirects to the page that the user requested before the login form popped up.