ASP.NET: Verzeichnisschutz mit ASP.NET FormsAuthentication

Hier mal eine Copy'n'Paste-Vorlage: Auf alle Inhalte eines Verzeichnisses "CMS" kann nur bei erfolgreicher Anmeldung zugegriffen werden. Benutzername und MD5-kodiertes Passwort werden in der web.config hinterlegt.

root/web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <appSettings>
    <add key="username" value="admin" />
    <add key="password" value="A13EE062EFF9D72..." />
  </appSettings>
  <connectionStrings />
  <system.web>
    <compilation debug="true" />
    <authentication mode="Forms">
      <forms cookieless="UseUri" defaultUrl="~/CMS/Default.aspx"
        loginUrl="~/Login.aspx">
      </forms>
    </authentication>
  </system.web>
  <location path="CMS">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
</configuration>

root/Login.aspx

<%@ Page Language="C#" AutoEventWireup="true" 
  CodeFile="Login.aspx.cs" Inherits="Login" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
  <title>Login</title>
</head>
<body>
  <form id="form1" runat="server">
    Username:
      <asp:Textbox id="TextboxUsername" runat="server" /><br />
    Password: 
      <asp:Textbox id="TextboxPassword" runat="server" 
      TextMode="Password" /><br />
    <asp:Button id="ButtonLogin" Text="Login" 
      OnClick="ButtonLogin_OnClick" runat="server" /><br />
    <asp:Label id="LabelInfo"  ForeColor="red" runat="server" />
  </form>
</body>
</html>

root/Login.aspx.cs

using System;
using System.Configuration;
using System.Web.Security;
using System.Text;
using System.Security.Cryptography;

public partial class Login : System.Web.UI.Page
{ 
  protected void Page_Load(object sender, EventArgs e) { } 
  
  // Login 
  protected void ButtonLogin_OnClick(object sender, EventArgs e)
  {
    // Username und Passwort von der web.config holen
    string username = ConfigurationManager.AppSettings["username"];
    string password = ConfigurationManager.AppSettings["password"];

    // Logincheck
    if ((TextboxUsername.Text.Trim() == username) &&
        (GetMd5Hash(TextboxPassword.Text.Trim()) == password))
    {
      FormsAuthentication.RedirectFromLoginPage(TextboxUsername.Text.Trim(), false); 
    }
    else
    {
      LabelInfo.Text = "Ungültige Anmeldung.";
    }
  }

  // MD5-Hash erzeugen zum Vergleich mit dem codierten Passwort
  private static string GetMd5Hash(string input)
  {
    MD5 md5Hasher = MD5.Create();
    byte[] data = md5Hasher.ComputeHash(Encoding.Default.GetBytes(input));
    StringBuilder sBuilder = new StringBuilder();
    for (int i = 0; i < data.Length; i++)
      sBuilder.Append(data[i].ToString("x2"));

    return sBuilder.ToString().ToUpper();
  }
}

root/CMS/Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" 
  CodeFile="Default.aspx.cs" Inherits="CMS_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
  <title>Geschützte Seite</title>
</head>
<body>
  <form id="form1" runat="server">
  <asp:LoginName ID="LoginName1" runat="server" FormatString ="Hallo {0}" />
  <asp:Button ID="Button1" runat="server" 
    Text="Logout" OnClick="Button1_Click" />
  </form>
</body>
</html>

root/CMS/Default.aspx.cs

using System;
using System.Web.Security;

public partial class CMS_Default : System.Web.UI.Page
{ 
  protected void Page_Load(object sender, EventArgs e) { }

  // Logout protected void Button1_Click(object sender, EventArgs e)
  {
    FormsAuthentication.SignOut();
    Response.Redirect("~/Login.aspx");
  }
}

Quellen:
BlaBlubBlog: Verzeichnisse per ASP.NET FormsAuthentication in 60 Sekunden schützen
.Net-Snippets.de: Erstellt einen md5-Hash aus einem string

ASP.NET

November 2008 | Permalink | Feedback