Introduction

ASP.NET 2.0 provides built in controls to manage Membership in Web Applications. All these controls use ASP.NET providers that are loaded via web.config file. Membership provider and Role provider allow a complete system to maintain users information, authenticate and authorize the users. This article demonstrates how to use and configure the default Member ship and Role provider.

Membership and Role Provider

Initially by using the Visual Studio 2005/2008/2010, create an ASP.NET website/web application. If you are using Visual Studio 2010, login and registration pages are available by default in the application. Now to store the user information, we need to create the database in the SQL Server. Follow the steps given below to use built in user store schema for maintaining the user information.

1. Go to Visual Studio, Visual Studio tools and then open the Visual Studio Command Prompt.
2. Use the aspnet_regsql.exe command to run the ASP.NET SQL Server Setup Wizard.
3. Check the option “Configure SQL Server for application services”.
4. Select the Server Instance and the database name for the application, if the database name is not provided, default aspnetdb database is created.
5. Click the confirm settings and finish button to create the database store.

Step 1:

Step 2:

Step 3:

Step 4:

Step 5:

Preparing to build the security system for use in application, we need to configure the membership provider inweb.config file. The following settings for Forms Authentication, Membership and Role provider are applied in theweb.config file.

Forms Authentication Settings

The authentication mode under system.web tag is set to “Forms” and the elements included in are loginUrl,defaultUrl, timeout, cookieless and protection which specifies the login page URL, default page URL, cookie expiration time and protection level respectively. The settings in web.config file would look similar to the code shown below:

<authentication mode="Forms">
     <forms cookieless="UseCookies" defaultUrl="HomePage.aspx" 
 loginUrl="UnAuthorized.aspx" protection="All" timeout="30">
          </forms>
</authentication>    

Membership Provider Settings

Some of the important elements to be considered in the Membership provider are name – name of the provider, type – namespace of the provider, connectionStringName – name of the connectionstring and the most important password format. The password format is available in three formats, Hashed, Encrypted and Clear. Hashed format provides one way of storing password in encrypted format which cannot be brought back to original state, whereas Encrypted format provides both to encrypt and decrypt the password.

<membership defaultProvider="Demo_MemberShipProvider">
 <providers>
  <add name="Demo_MemberShipProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="cnn"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="true"
      applicationName="/"
      requiresUniqueEmail="false"
      passwordFormat="Hashed"
      maxInvalidPasswordAttempts="5"
      minRequiredPasswordLength="5"
      minRequiredNonalphanumericCharacters="0"
      passwordAttemptWindow="10" passwordStrengthRegularExpression="">
 </providers>
</membership>

Role Provider Settings

The similar way is to specify the settings for default Provider under system.web tag of the web.config file as shown below. The settings are simple and self explanatory.

<roleManager enabled="true" cacheRolesInCookie="true" 
 cookieName="TBHROLES" defaultProvider="Demo_RoleProvider">
              <providers>
                  <add connectionStringName="dld_connectionstring"
                  applicationName="/" name="Demo_RoleProvider"
                  type="System.Web.Security.SqlRoleProvider, System.Web,
                  Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
             </providers>
</roleManager>