aspnet_regsql - Add Membership System
Here we look at adding a .NET Membership system into an existing web application using aspnet_regsql.exe.
I have an existing website which doesn't currently involve users logging in, and it uses a SQL Server database. My requirement is to integrate a system which enables users to login in to the website. The .NET Memeberhsip which was added in .NET 2.0, makes it very easy to add such a system. With built-in encryption and some standard, customisable controls which hook up into the system automatically, it's very quick to put a user login system together, and one which is of a high standard.
Use aspnet_regsql to create SQL Server elements
As I'd like to store my user details in the SQL Server database, I need to create the database tables and stored procedures, including encrypting the user passwords. We can use the WSAT (WebSite Administration Tool) which is built into Visual Studio, but I prefer to do it manually where I'm in direct control of what is happening, so I use the .NET command aspnet_regsql.exe. I find knowing how to use the aspnet_regsql command means I can easily use it on a server or my development machine. So you'll need a way to get to the Framework folder, which on my current PC (Windows 7 64 bit) is located here: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 . Navigate to this folder in the Windows command prompt, or use the Visual Studio command prompt.
If you type in the command prompt:
You'll get a list of the available options for the command.
You'll need to specify the database connection details to the command, so you can specify server, username and password or use Windows authentication, some of the options are listed here:
-S : Server name
-d : Database
-U : Username
-P : Password
-E : Windows Authentication
Once you've specified database connection properties, you tell the command what ASP.NET features you'd like installing, or un-installing on that SQL Server. For instance, I'm mainly concerned with adding Membership, and maybe Roles and Profiles for my user logging in section:
-A : Add
m : Membership
r : Role manager
p : Profiles
eg: Add Membership, Roles and Profiles
If you need to remove one of more of these features later on, you can remove them with:
-R : Remove
m : Membership
r : Role manager
p : Profiles
eg: Remove Membership, Roles and Profiles
So in order to add a Membership system to a SQL Server the command may look something like this:
aspnet_regsql -S myServerName -E -d myDataBase -A m
This says, call aspnet_regsql, specifying the server name myServerName, specifying use Windows Authentication, and then use the database called myDataBase, and then finally add the Membership feature to this database.
Which once ran will give you back a displayed result like this:
Start adding the following features:
This has created several tables and stored procedures in the SQL Server database specified, almost all ready to go, I just need to specify some details in the .NET code, and it's ready.
Configuring the Application to use the Membership system
The web.config file needs some configuration information to activate the Membership system, though we won't need any code to get it working, so that has saved us a lot of time. For starters we need to specify that we are using Forms Authentication which basically means that users who want to gain access to secure areas in the site must be authenticated using a Form, with a login username and password. We can specify something like the following:
<add key="CompanyName" value="DemoName" />
name="MyAuthCookie" defaultUrl="~/index.aspx" loginUrl="~/login.aspx" timeout="20" />
<deny users="?" />
<allow users="*" />
Here we set the Authentication type to Forms, and we set some additional parameters such as the timeout, the name of our authentication cookie, the URL to send users to when they first login, and the URL users are redirected to when they try to visit a secure area of the site. The Authorization element specifies that we are going to deny access to any user who hasn't been authenticated, and a second rule which says we will allow all users. The first rule is adhered to first, keeping out anyone who hasn't been logged in correctly, so in this case the second rule is only considered once a user has logged in successfully, and we're saying that anyone is allowed access once they have logged in. Here we could specify certain Roles, or UserNames who could be denied or granted access. We can use the Authorization element in sub-directories, so as such the root folder of the site may have different authorization settings to sub folders.
We also need to set in the web.config that we are using the Membership system..
<membership defaultProvider="MySqlMembershipProvider" >
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
This points to a database connection string we have previously created which specifies how we connect with the database we just created the Membership SQL features on:
<add name="DBConnectionString" connectionString="Data Source=thisPC\SQL2008;Integrated Security=True;Initial Catalog=ThisDataBase" />
Using the .NET Login Controls
Finally we can use some of the standard ASP.NET controls which plug straight into the Membership system without any wiring or coding. These controls are customisable, but I'll keep any changes to a minimum for this example, so we can get this working as quickly as possible, but working with a high standard.
Create User Wizard
You can simply drag the Create User Wizard control to an aspx page in Visual Studio and it's ready to add a new user into your SQL Membership database, the basic markup for the control looks like this:
<asp:CreateUserWizard ID="CreateUserWizard1" runat="server">
<asp:CreateUserWizardStep ID="CreateUserWizardStep1" runat="server">
<asp:CompleteWizardStep ID="CompleteWizardStep1" runat="server">
Simply enter a new username, password, password confirmation, email address, security question and security answer, click the Creat User button, and the user will be added, ready to log in to the system.
LoginView, LoginName and LoginStatus controls
Here I'm going to combine the LoginView, LoginName and LoginStatus controls to provide a feature which shows information related to whether the user is logged in or logged out.
The LoginView control contains Templates called LoggedInTemplate, which shows information for when a user is logged in, and an Annonymous Template for showing information when the user is not logged in. When we are logged in, we'll use the LoginName control to show the Username of the user who is logged in, and for when we are logged out, we'll use the LoginStatus control to provide a link to our login page:
<asp:LoginView ID="LoginView1" runat="server">
Welcome, <asp:LoginName ID="LoginName1" runat="server" />
Not logged in
<asp:LoginStatus ID="LoginStatus1" runat="server" />
The login control allows users to login, it provides a Username and Password textbox as default with a submit button, so we'd put this on our login page. The credentials will automatically be verified in our database automatically by the control, and should the correct username and password be entered, our users will be logged in to the site.
<asp:Login ID="Login1" runat="server">