Using membership to secure ASP.NET websites

Using WSAT to Configure Security

Use Web Site Administration Tools (WSAT) to define and manage users, roles and security on site.

Launch from Visual Studio by choosing ASP.NET Configuration from Website menu.

Creating Users

User configuration found on Security tab.

First click on Select Authentication Type - Windows based, Active Directory (From A Local Network) or web based forms (From The Internet).

When web based security is selected then WSAT creates ASPNETDB.mdf and stores in App_Data directory and updates web.config to enable this security feature.


<authentication mode="Forms" />


Note, does not allow end users to create or manage their accounts - do this via logon controls.

Creating Roles

WSAT can create and manage roles (collections of users).

Can apply authorisation at role levels.

When Enable Roles is clicked on Security tab in WSAT it will add <role manager enabled="true"/> to the <system.web> element.

Creating Access Rules

Create via Security tab of WSAT.

Allows definition of folder-level access to items on site on either a per-user or role basis.

Create by clicking on Create Access Rules link which takes you to Add New Access Rule page.

From here apply rule to role, individual user, all users or anonymous users. Then the folder to which the rule applies. Finally whether allow or deny permission is chosen.

WSAT will add web.config file to appropriate folder:




<allow roles="Site Owner" />




Logon Controls

ASP.NET has set of controls, classes and tools for authenticating users with web forms and storing that information in a database.

Seven controls for managing logon information.

User Account Creation Page

If create site via ASP.NET Web Site template then the Account folder contains a Register.aspx page preconfigured to work with default logon database.

Use CreateUserWizard control to create custom page allowing users to create their own accounts.

By default control prompts for user name, password, email address, security question and associated answer together with appropriate validation.

The ContinueDestinationPageUrl Property on this control sets page to which users go after account creation has been completed.

CreateUserWizard is a composite, template driven control. Consequently can edit template for control. Allows new steps to be added or layout to be changed.

To collect additional profile information as part of account creation click on the Customize Create User Step link from the CreateUserWizard Tasks pane. This will render markup to create user into page where it can then be edited.

Cannot easily access users profile information within wizard as user is not considered to be authenticated. Can use the EditProfileText and EditProfileUrl properties on the CreateUserWizard to add link to final page of wizard where user can set their profile information.

Store additional information via the CreatedUser event.

By default created user does not belong to a role, can add user to roles via CreatedUser event.

Logon Page

If the ASP.NET Web Site template has been used then Login.aspx file will be present in Account folder.

The logon page is identified in the authentication element of the web.config file:


<authentication mode="Forms">

<forms loginUrl="Login.aspx" />



The logon page contains a Login control which prompts users for name and password.

Page should contain a ValidationSummary control into which Login control can post validation messages.

Should use Login.LoginError event to perform security auditing via Security event log.

Password Recovery

PasswordRecovery control often added to logon pages to assist users who have forgotten their passwords.

Enables users to provide user name and receive new random password via email.

Can, optionally, require security question to be answered before email is sent.

Has three template views:

Use PasswordRecovery.UserLookupError and PasswordRecovery.AnswerLookupError to log these events so administrators can discover excessive attempts to lookup / recover a password.

Password Change

If the ASP.NET Web Site template has been used then ChangePassword.aspx and ChangePasswordSuccess.aspx file will be present in Account folder.

Can create custom page using ChangePassword control.

On completion show success message or automatically navigate to another page.

FormsAuthentication Class

Basis of all forms authentication.

Provides various authentication support methods such as authentication, encryption / decryption, get authentication cookies, logging out, etc.

Membership Class

Normally abstracted from developers by logon controls.

Provides mechanisms to create and delete users, validate users, generate passwords, etc.

Roles Class

Manages roles and establishes roles for current user.

Class most likely to be used by developers, e.g. to add user to role issue

Roles.AddUserToRole(CreateUserWizard1.UserName, "Users");

Requiring Windows Authentication

For applications used within organisation should use Windows authentication.

Edit <authentication> section of web.config and set mode to windows:


<authentication mode="Windows">


<deny users="?" />




Authorization element controls whether authentication is required.

An entry of <deny users="?" /> denies access to all unauthenticated users.

An entry of <allow users="*" /> grants access to all users.

? represents unauthenticated users whilst * represents all users.

Can also configure via WSAT.

Restricting Access

Authentication determines users identity, authorisation defines what they can access.

Previously relied on Windows permissions - still important, but complimented by ASP.NET authorisation capabilities.

Controlled by web.config file.

Restricting access to users and groups

By default machine.config contains:


<allow users="*" />


Which allows all users to access all parts of site. To restrict access to the users except Eric and Sam change web.cnofig to:


<allow users="Eric, Sam" />

<deny users="*" />


If windows authentication is used user names should include domain / computer name.

Controlling access to files and folders

To restrict access to specific files or folders use the <location> element. In this example anonymous users have no access to entire site. Only users in the CONTOSO\IT group can view the Protected subfolder.



<authentication mode="windows" />


<deny users="?" />



<location path="Protected">



<allow roles="CONTOSO\IT" />

<deny users="*" />





Can also control access via Windows file system - but do not rely on this approach.


All requests for system resources by default are made using ASPNET account (IIS 5) or Network Service Account (IIS 6, 7 and 7.5).

This is configurable, and defined in machine.config by <processModel autoConfig="true" />

Can change the autpConfig to false and set userName and password properties to an account that ASP.NET will use when requesting resources.

Automatic configuration suitable for most implementations.

In some cases administrators may need to configure ASP.NET to impersonate some other account - can do this via the <identity> element in the machine.config file.

To enable ASP.NET to impersonate specific user account, regardless of how IIS authentication is handled, can add identity element to system.web section of web.config:

<identity impersonate="true" userName="Domain\User" password="password" />