ASP.NET forms authentication login using VB.NET

[CWA]

I’ve noticed that there aren’t many tutorials out there that make setting up a member’s login easy for VB.NET. This tutorial will show you how to setup a login section using forms authentication, and then specify which users can access what parts of your website in only a few minutes. You’ll also be able to retrieve multiple custom values from your encrypted authentication cookie to use in your VB.NET code like the user’s ID, name, username etc. without the need to re-query your database.

Setup steps

1. Download the complete project
Download and extract the attached zip file containing all the files necessary for the VB.NET login to work to the root of your website. Don’t overwrite files in your existing website. Rather just copy and amend the code from this project’s files to your existing site’s files when your computer wants to overwrite a file.

2. Create the user table and add test users in the database
If you already have a users table, simply skip this step, you’ll be able to modify the required variables later in this tutorial. This example uses a MySql database. With only a few modifications, I’m sure you can use it with any other compatible database.

To create your database, simply copy and paste the code below in a blank notepad document and save it as ‘createuserstable.sql’ (Change `yourdatabase` to your database name first) – Open MySql query browser and click file > open script. Browse to ‘createuserstable.sql’ and run the script. Your database will now have the necessary table, columns and 2 test users.

Code:

CREATE TABLE `yourdatabase`.`user` (
  `ID` INTEGER UNSIGNED NOT NULL AUTO_INCREMENT,
  `username` VARCHAR(45),
  `password` VARCHAR(45),
  `clientname` VARCHAR(45),
  `role` VARCHAR(45),
  PRIMARY KEY (`ID`),
  UNIQUE INDEX `Index_2`(`username`)
)
ENGINE = InnoDB;
INSERT INTO `user` (username, password, clientname, role) VALUES ('johnd', '123', 'John Doe', 'ADMIN');
INSERT INTO `user` (username, password, clientname, role) VALUES ('janed', '456', 'Jane Doe', 'MEMBER');

You can also manually create the table and insert 2 test users:

tables.jpg rows.gif

3. web.config
In the web.config file, change the values in the following connection string to connect to your database (I’ve used an ODBC connection to MySql for this example)

Code:

<add key="strConn" value="DRIVER={MySQL ODBC 3.51 Driver};Port=3306;Server=127.0.0.1;UID=yourusername;PWD=yourpassword;database=yourdatabase;Option=16384" />

“login/” will be the path to your default login page relative to the web.config file, and ".ASPXAUTH” is the authentication cookie name (there is no need to change this)

Code:

<forms loginUrl="login/" name=".ASPXAUTH" protection="All"></forms>

For every directory you like to protect, add the following lines of code… In this example, “members” and “admin” are the protected directories relative to this web.config file, and the roles mentioned (comma separated) are the users allowed to access the pages after logging in as defined in your database. For example, users with ADMIN role privileges are allowed to access the “members” and “admin” pages, where MEMBER role privileges can only access the “members” directory.

Code:

    <location path="members">
      <system.web>
        <authorization>
          <allow roles="MEMBER, ADMIN" /><!-- comma separate which users are allowed to view these pages after logging in -->
          <deny users="*" />
        </authorization>
      </system.web>
    </location>
   
    <location path="admin">
      <system.web>
        <authorization>
          <allow roles="ADMIN" />
          <deny users="*" />
        </authorization>
      </system.web>
    </location>

4. /login/index.aspx.vb
NOTE:
If you have setup the database using the default values by following step one above, your login system will now be working. Simply run index.html and login with the users in the database.

I’ve created a “Configuration Variables” section to easily change the needed variables to create your login page to work with your custom database users table. Following are the variables with a short description:

strAppSettingsConnectionName – This is the connection name for the string to connect to your database as defined in the web.config file
strDbColumnForPassword – The column name in the user’s table that contains the password for the user
strDbColumnForUserRole - The column name in the user’s table that contains the role value. This value will specify what pages the user will be able to access after logging in as specified in the web.config file
strDbColumnForUserID - The column name in the user’s table that contains the unique ID value. You will be able to retrieve this value from the encrypted authentication cookie to perform tasks to this specific user.
strDbColumnForClientName - The column name in the user’s table that contains the client’s name value. Usually used simply to say “Welcome {NAME}”
intMinutesBeforeAutoLogoff – The time it takes for the authentication cookie to expire when you don’t browse the website
strSqlQuery – the query used to connect to the table and retrieve the values associated with the username.
strDefaultRedirectUrl – The url your user will be redirected to after login if there aren’t any ReturnUrl specified.

5. members/index.aspx.vb and admin/index.aspx.vb
Here you’ll see how to retrieve information from the encrypted authentication cookie. Retrieve them in the order as they were added in the ‘strValuesToInsertIntoTicket’ variable in ‘login/index.aspx.vb’.

Code:

                                  intClientId = cint(strUserData(0))
                                  intClientName = strUserData(1)
                                  intClientRole = strUserData(2)

That’s it, start by viewing index.html, and you should be able to login to the admin and members sections with the users in the database.