Site security via user profiles in ASP.NET websites

Quickly and easily to define, store, retrieve user profile information for site.

Configured within web.config.

Steps to setup user profile:

Configuring User Profile Provider

Store and retrieve user profiles in database via a provider class.

ASP.NET provides default provider - System.Web.Profile.SqlProfileProvider

By default uses configuration settings in machine.config.

These are (by default) set up to use SQL Server Express installation on local machine.

By default the personalisation database is stored in the App_Data folder for site - in the files ASPNETDB.mdf and ASPNETDB_log.ldf

Configuring New Profile Database

For development purposes can usually use default settings.

To move to SQL server first generate schema on database server - can use the Aspnet_regsql tool found in the Microsoft.NET\Framework%version% folder.

Tool not limited to creating profile table, can also define role, membership and Web Part tables.

Launching tool without arguments forces user to walk through configuration wizard.

Define User Profile

Define profile by determining individual fields, e.g. name, date of last visit, colour settings, etc. to be tracked for each user on site.

Defined within web.config profile section:




<add name="FirstName" />

<add name="LastVisit" type="System.DateTime />




Anonymous User Profiles

By default profiles enabled only for authenticated users.

Can enable for anonymous users by adding allowAnonymous="true" attribute to the properties, e.g. <add name="LastVisit"allowAnonymous="true" type="System.DateTime />

ASP.NET will create unique identification for each user when first visits site, stored in browser cookies.

If cookies not enabled then identifier added to URL of page request.

Profile Property Groups

Can place properties into groups, can then access through profile class as encapsulated data, e.g. Profile.Address.Street.



<group name="Address">

<add name="Street" />

<add name="City" />




Custom Profile Property types

Can use own custom classes as profile properties.

Custom class must be serializable.




<add name="Pos" type="MyApp.OrgPosition" serializeAs="Binary"/>




Identify Users

If site implements user authentication then profiles automatically enabled.

If only anonymous users need to add anonymousIdentification to system.web element of web.config. Ensure its enabled attribute is set to true.

Migrating Anonymous User Profiles

If enable anonymous user profiles but allow user to create authentication credentials then ASP.NET will create new profile for user.

May want to migrate settings from their anonymous profile.

Do this by responding to MigrateAnonymous event raised when user logs into site:

public void Profile_OnMigrateAnonymous(object sender ProfileMigrateEventArgs args)
ProfileCommon annonProfile = Profile.GetPRofile(args.AnonymousID);
Profile.StockSymbols = annonProfile.StockSymbols;

Saving User Profile

Set values of individual Profile properties then call Profile.Save().

Set profile information in response to user actions, e.g. setting their preferred colour.

Mau allow user to set Profile information via a web page.

Recognising Returning Visitor

Profile based on user identification.

If allow anonymous authentication then this is passed as cookie setting.

Otherwise happens at time of user authorisation.

By accessing profile property ASP.NET will perform necessary actions to identify user and lookup value from persistent profile store.