ASP.NET Users/Membership/MembershipUser/Security/Principal/Profile... HELP

Question

I know this might sound like something which is explained everywhere.. but I've been watching lots of asp.net/learn videos reading articles - and still there's something missing that explains how all this "Membership" ties together.

On the one hand, there's this built-in .net user management which allows you to create roles, users etc. Then on the other hand, getting that user, storing it (in the Session etc) seems a strange task, from what I have read, involving creating your own 'Principal' objects etc.

If there is anyone out there who has the understanding and time, could they give us(me) a brief explanation of what is what with all this. Maybe how it ties together... How do I use a string username/password to see if an account exists, log them in, check if they are in the correct role for an action .. or even get all the roles which the user is part of?

I know this question might not go down well with people who already understand the .net user stuff well, but please only answer if you can help.

Many thanks in advance. peteski

Answer 1

You don't have to create your own principal object at all. All you can do is using one of the out-of-the-box MembershipProvider (ex: SQLMembershipProvider) to manage your user and use one of the RoleProvider (ex: SQLRoleProvider) to set authorization for the users, if required.

To get the user, you don't have to store it in the session. Just use Page.User to get the current user basic informations (name, IsAuthenticated).

To check if the user if the user credential are correct, you can use

Membership.ValidateUser(username,password).

To logon, I suggest you use the provided ASP.NET Login control but you can code you own login with a little more work. If you use Form authentication, it's something like:

if (Membership.ValidateUser(UsernameTextbox.Text, PasswordTextbox.Text))
   FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked);
else
   Msg.Text = "Login failed. Please check your user name and password and try again.";

P.S : The example comes from MSDN

Finally, to check if the user can perform an action, you use

RoleProvider.IsUserInRole(username,rolename)

You can also control access to a resource (a page, a file, a folder, etc.) by configuration authorization in your web.config ex:

<authorization> <deny users="?" /> <allow roles="Administrators" /> <deny users="*" /> </authorization>

Hope this help and fell free to ask for more informations if it's not clear

Edit

To answer your comment, here's how it works:

Page.User use an Authentication cookie to identify the currently logged user. This cookie is automatically set in FormsAuthentication.RedirectFromLoginPage but, if you just want to set the current user without redirecting, you can manually call FormsAuthentication.SetAuthCookie(userName,persistentCookie) where persistentCookie is a boolean value telling if you want this cookie to be persistent or not in the browser.

Hope it clarify the original answer