Securing ASP.Net pages - ASP.NET - Forms Authentication

ASP.Net has a built-in feature called forms authentication which allows developers to easily get certain areas of a website. In this post I will create a simple authentication example using C # and ASP.Net 4.0 (still in beta after the posting date).
The security settings with ASP.Net is configured from the web.config file. This is a standard ASCII file, an XML format, which is at the root of the web application. This is a sample web.config file:

<configuration>
    
<system.web>
        
<authentication mode="Forms">
            
<forms name ="TestAuthCookie" loginUrl="login.aspx" timeout="30">
                
<credentials passwordFormat="Clear">
                    
<username="user1"password="pass1"/>
                    
<username="user2"password="pass2"/>
               
</authentication>
        
<authorization>
            
<denyusers="?"/>
       
</authorization>
        
<compilation targetFramework="4.0"/>
        
<pages controlRenderingCompatibilityVersion="3.5"clientIDMode="AutoID"/>
    

</system.web>
 </configuration>

 
The first line is the standard for a web.config file and not related to security.
 
The following section specifies that you are configuring security for this web application. First, set the authentication mode to use a cookie in this specific example. You can specify a unique name for your cookie. This section also specifies the page or URL that contains the authentication code (login.aspx in this case) and the duration of the authentication cookie should be stored.
The next two lines specify the user names and passwords are valid for this web application. As far as I know there is no limit on the number of user accounts can be placed in the web.config, but if there were a large number - or if they change frequently - it might be best to put this information in an external file as a database or an XML file instead (I'll show this in a future article).
Now that we've identified some accounts valid login is necessary to specify in reality we want to password protect. For this example I decided to password protect the entire site from the root, so the optional attribute is not used. We have established the authority to deny all unauthenticated users (deny users ="?").
That's all it takes to file config.web. If someone tries to access the page and the user is not authenticated and will be redirected to login.aspx page.
This is only half the process required however. Now we have to create the login.aspx page to actually authenticate the user for our application.
Here is the complete source code for the login.aspx page shows:

<% @ Page Language = "C #" AutoEventWireup = "true" CodeFile = "login.aspx.cs"%>
 
DOCTYPE html PUBLIC "- / / W3C / / DTD XHTML 1.0 Transitional / / EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title> </title>
<head>
<body>
  <form  id="Form1" runat="server">
    <div>
        Username:
    <asp:TextBox    ID="txtUsername" <asp:TextBox runat="server"> 
        <br />
        Password:
   <asp:TextBox    ID="txtPassword" <asp:TextBox runat="server">
        <br />
       <asp:Button Text="Login" onclick="Button1_Click" ID="Button1"  runat="server" />
        <br />
        <br />
       <asp:Label runat="server" ID="lblStatus" Text="Please  login"> </asp:Label>
    </div>
    </form>
</body>
</html>
using System;
using System.Web.UI.WebControls;
using System.Web.Security;
 
public partial class Default3: System.Web.UI.Page
{
    protected void Button1_Click (object sender, EventArgs e)
    {
        if (FormsAuthentication.Authenticate (txtUsername.Text, txtPassword.Text))
        {
            lblStatus.Text = ("Welcome" + txtUsername.Text);
            FormsAuthentication.RedirectFromLoginPage (txtUsername.Text, true);
        }
        more
        {
            lblStatus.Text = "Invalid login";
        }
 
    }
}