开发者

ASP.NET MVC custom membership for beginners

开发者 https://www.devze.com 2023-01-16 10:18 出处:网络
I am creating my own website and blog and I want for first time just me in database (my name and password) and maybe later some registration for others but first log in just for me and administration

I am creating my own website and blog and I want for first time just me in database (my name and password) and maybe later some registration for others but first log in just for me and administration with authorization. I don´t want to use Membership from MS. I want try to create my own fro开发者_如何学运维m start so I am looking for guide for beginners but I found big guides with roles, rights. I want just small example with check username, password in database with log on data. Thanks for help Libor


Even if you don't want to use the membership and role provider data store you can still utilize the authentication. Trust me, it's a lot easier than building your own. Here's how it works:

We'll say you already have your user storage setup for retrieving the username and their password. For the sake of simplicity I'm going to pretend you have a static class called DataLayer that contains your data retrieval methods for pulling info from the database (or whatever storage you use).

First you need a way to let the user log in. So set up a page with username and password fields. Then in the action method that the page posts to set up a quick if statement:

    if (DataLayer.UserExists(userModel.Username))
    {
         User userFromDB = DataLayer.GetUser(userModel.Username);
         if (userFromDB.Password == userModel.Password)
         {
              FormsAuthentication.SetAuthCookie(userFromDB.Username, checkBoxRememberMe.Checked);
              //Use userFromDB as the username to authenticate because it will 
              //preserve capitalization of their username the way they entered it
              //into the database; that way, if they registered as "Bob" but they
              //type in "bob" in the login field, they will still be authenticated
              //as "Bob" so their comments on your blogs will show their name
              //the way they intended it to.

              return "Successfully logged in!";
         }
    }

    return "Invalid username or password.";

Now that they are authenticated you can just use Page.User.Identity.IsAuthenticated in your code to find out if they are logged in. LIke this:

if (User.Identity.IsAuthenticated)
{
     DataLayer.PostBlogComment(User.Identity.Name, commentBody);
     //Then in your controller that renders blog comments you would obviously 
     //have some logic to get the user from storage by the username, then pull
     //their avatar and any other useful information to display along side the
     //blog comment. This is just an example.
}

In addition, you can lock out entire action methods or even whole controllers to users that are authenticated through the forms authentication provider. All you have to do is add tags like these to your action methods/controllers:

[Authorize]
public ActionResult SomeActionMethod()
{
    return View();
}

The [Authorize] attribute will prevent users that are not logged in from accessing that action method and it will redirect them to your login page. You can use this same attribute to filter out roles if you are using the built in roles provider.

[Authorize(Roles="Admin, SalesReps")]
public ActionResult SomeActionMethod()
{
    return View();
}

These attributes can also be added above the controller class to apply it's logic to the entire controller.

EDIT: To log a user out all you need to do is call FormsAuthentication.SignOut();


Hey @Bibo, good for not choosing the Membership providers. I think a UserService or similar which provides methods for creating, authenticating users and some few more methods should be enough. As a suggestion, use password hashing and a password salt for the user´s password. Here is a good link to look at. Also have a look at this answer I gave some time ago.

Good luck!

EDIT: The rememberMe parameter should be named keepMeSignedIn instead.


This article on forms authentication gives you loads of info for creating your own simple security system, especially the bit about FormsAuthenticationTicket.

http://support.microsoft.com/kb/301240

0

精彩评论

暂无评论...
验证码 换一张
取 消