Develop Reference

Website with/without user login

Howdy,
I'd like to create a website with c# and ASP.NET. This Website should feature a front end which is accessable by all visitors - and then I'd like to create a backend which is only accessibly after the user logged in ... however I'm facing a couple problems since this is my first web project in C# and in general.
I think I have to create at least 3 classes:
Page - ( every page should inherit this page )
holds if the page should be an open or closed page
Loginpage
Membership Page
Checks if the user is really logged in and which user it is.
I have no clue if this is the right way to do it - and how I should do. I would be really grateful 4 help.

Take a look at the MembershipProvider. ASP.NET comes with some pre-rolled controls for logging users in and out, as well as several mechanisms for checking whether a user is logged in and what roles they have. You can secure resources programmatically by checking on what roles the current user has and make decisions in code, or in the web config by requiring specific user names and/or roles to access a given resource (such as a page).
Here's an intro link to get you started:
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
Once you're done getting a general feel for what the MembershipProvider is, here's a video to walk you through setting up a SqlMembershipProvider:
http://www.asp.net/general/videos/how-do-i-set-up-the-sql-membership-provider

This sample is so useful.
Review it.
Project Description MyWSAT aka ASP.NET
WSAT is a WebForms based website
Starter Kit for the ASP.NET Membership
Provider. It is a feature rich
application that takes care of all the
basics to save you time. Use it as a
template to start your websites.
MyWSAT v3.5 PROJECT OVERVIEW:
MyWSAT aka ASP.NET WSAT is a WebForms
based Website Starter Kit for the
ASP.NET Membership Provider with Forms
Authentication. It provides you with
all the security features required for
a site out of the box so you start
focusing on building your pages. It
allows you to manage membership users
online once your site is deployed. It
features complete administrative
back-end functionality and designed to
manage users, as well as admin pages
for users to manage their own user
data.
MyWSAT works with the default
membership provider database tables to
manage membership users, roles and
profiles and uses a few specially
crafted stored procedures for
efficient paging of any amount of
records... and a few more things as
you will see. It consists of simple
procedural programming with neatly
organized and commented code. The
programming methodology is geared
toward the beginning developer to help
quickly gain some practical every day
development knowledge. MyWSAT has been
used in many production environments
(personal and enterprise) and is
reliable and secure. A perfect starter
kit for your next Blog, CMS,
E-commerce or any project that
requires security and user management.
Tip: You can save this website as a
template and use it to create new
sites based on it.
TECHNOLOGY USED:
This application was created in Visual
Web Developer 2008 Express (works with
2005 and 2010) with SQL Server 2008
Express , .NET version 3.5 and C#.NET.
This release is not available in
VB.NET.

Since you are using ASP.NET, there is a lot of existing infrastructure here you can take advantage of. Look into:
Microsoft ASP.NET Membership API: http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
Login Controls: http://msdn.microsoft.com/en-us/library/ms178329.aspx
Forms authentication
Microsoft has pretty much fully solved/written all of this for you. Now you might still prefer to avoid their implementation for whatever reason, but it's still worth looking into.

How do you implement an ASP.NET role provider?

I've got a few top-level questions about ASP.NET Membership and Role providers. I've done some searching but am having a hard time finding some layman tutorials. I have been coding in ASP.NET for a while now but the only real experience I have with authentication is the use of FormsAuthentication.SetAuthCookie(usernameFromDatabase, false);
When I use the SetAuthCookie() method above am I using the ASP.NET Membership Provider? Correct me if I'm wrong please but I don't think I am. I am just setting an authentication cookie right? I usually implement my own custom methods in my data repositories like GetUser_ByUsername(string username) which then talks to the ORM and gets the right user.
Do the Membership and Role Providers have their own data storage?
What if I want to use my own data storage?
Do I need to implement my own membership/role provider, and how would one go about doing that?
Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?
I'm just looking for a brief tutorial/explanation of this system. If you have any good references for me to look at I will happily take a look :)

Implementing a membership provider is not too hard. Note that you only need to implement the methods that you plan to actually use. The membership provider should be viewed as a means to interact with your user information from an authentication perspective. It won't create the auth cookie for you; you do that after a successful call to the ValidateUser method on the provider. It will allow you to develop an application against the provider interface and easily change which provider you want to use via configuration rather than rewriting the application code. I've successfully implemented several different membership providers, using my own schema, which support built-in and hybrid built-in/active directory authentication. More info available via the links below:
Article: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
Sample Implementation Description: http://msdn.microsoft.com/en-us/library/44w5aswa.aspx
Sample Code: http://msdn.microsoft.com/en-us/library/6tc47t75.aspx

SetAuthCookie() works with the Forms Authentication framework within ASP.NET which you can then adapt for integration with a membership provider.
Do the Membership and Role Providers have their own data storage?
They can, yes. There is an abstract implementation that you can subclass for your specific data needs. There is a SqlMembershipProvider you can use right out of the box, you just need a database to point to and create the needed tables. There is quite a bit of information on that class, like here or here.
What if I want to use my own data storage?
The SqlMembershipProvider does, but check out this alternative MySQL framework if you're interested in seeing how another DBMS does it.
Do I need to implement my own membership/role provider, and how would one go about doing that?
Using the built-in ones is pretty easy, but a lot of shops roll their own so that they can use existing tables. You'll need to implement this class.
Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?
In all likelihood you'll need a stronger system, and a custom membership provider is a good idea.

1 - Yes, if you use the built in membership/role providers they use tables created either in a separate database or an existing one. You use the tool aspnet_regsql.exe to create these tables - it walks you through a wizard. Alternatively, it can also be called from the command-line with different arguments in order to skip the wizard. This is some info from MS about creating the necessary DB/tables within your DB.
2 - You can do that, but you have to implement a custom membership provider, which isn't really difficult. Here and here are some tutorials.
3 - You don't necessarily need to unless you either want to use your own data stores or you need functionality from it that isn't present in the built-in providers.
4 - I would say you're better off using the built-in functionality ASP.NET provides for membership and roles.

web based remote connections in c# advice

I am going to write up a webapp hosted on a windows 2003 server to allow me to connect to local and remote servers to do some basic things.
The webapp will be hosted on serverA. It will need to be able to copy files/folders from one folder to another on this server.
It will need to be able to connect to ServerB and copy files in the same way, e.g. copy \serverB\path\to\sourcefiles to \serverB\path\to\destinationfiles
ServerB hosts an installation of MSSQL 2008, I want to be able to create new database/login etc.
How do I go about this please? I've been reading a bit about Windows Authentication, Impersonation, Delegation but i don't know where to focus on.
thanks
S

To be honest there isn't really a one size fits all complete answer to your question, however there are a number of things that you need to take into consideration early in development to ensure that your platform is built on solid foundations.
From the description you have given the most critical consideration has to be security and everything you develop has to have this at its core. Judging by your post if the wrong person was to access your front end then they could wreak havoc.
As for the model to use, I would suggest Windows Authentication as this is built into the framework and gives you the ability to segregate into usergroups with differing levels of access. It will also open up some of the functionality you need, i.e. network copy of files etc
As for the database management aspect, this again can easily be done via Windows Authentication as you can grant (in SQL) windows users the ability to perform certain tasks, i.e. Create Database, Create Login, drop x, etc
All this said, it of course assumes that the two servers share user credentials, i.e. domain controller etc.
Another method, would be to use the web "interface" as a pass through onto a WCF service that operates under a specific user account that has the access you need. You would then seperately manage authentication/authorisation in a manner that you decide.
Like I said, no simple one size answer - but hopefully this will give you something to chew on.

If your goal is to create new databases or logins, why can't you use the create database and create login commands?

ASP.NET sessions over multiple domains

Is there a proper .NET solution for providing persistent server sessions over multiple domains?
i.e. If a user of the site logs in under www.site1.com, they will also then be logged in under www.site2.com
Security is an issue with the program we are working on...
Thanks!

Does it need to be in the session or are you looking for a single signon solution. If the latter take a look at something along the lines of ADFS
http://en.m.wikipedia.org/wiki/Active_Directory_Federation_Services?wasRedirected=true

You may want to start here instead of hacking into the ASPState database(possible, but I don't recommend it): http://www.codeproject.com/KB/session/sharedsession.aspx
Basically you set the AppDomain to be the same for both www.site1.com & www.site2.com using reflection.
You also may need to AppPath as well, we needed to, but our setup was slightly different than what you have. We added:
FieldInfo appDomainInfo = typeof(HttpRuntime).GetField("_appDomainId", BindingFlags.Instance | BindingFlags.NonPublic);
appDomainInfo.SetValue(theRuntime, "/LM/W3SVC/1/ROOT/A_Website_Name_Here");

The word 'session' can be a little confusing in ASP.NET.
If you are talking about security (authentication and authorization), you are probably looking for a Single Sign-On solution. In other words, when a user logs into one site they won't be prompted to log into another related site. Take a look at Windows Identity Foundation, OAuth, Jasig CAS. CAS is my preferred solution (I'm a developer on the .NET client), but the server is written in Java and you'll need some expertise with Java to get it configured the way you want.
In ASP.NET, Session state is a completely separate component from authentication and authorization (although it can depend on the result of the authentication step). If you are trying to share information between the 2 sites (i.e., shopping cart contents), you can either configure both domains to use the same database as a Session provider (google aspnet_regsql -ssadd) or you can just store the data in a database that is accessible by both.
For more info on why I emphasize the distinction, check this out: http://www.codeproject.com/KB/aspnet/ASPDOTNETPageLifecycle.aspx
Good luck.

Try using the canonical hostname URL Rewrite feature of the IIS 7.5 Url Rewrite 2 Module: Download
(This answer relies on both URL have hostheader entries for the same web application)

UI for SQL Server User managment

I am building a solution for a small business without any in house IT staff.
The central datastore is SQL SERVER (express2008)
I would like to leverage SQLs built in security (certain views for certain classes of employees).
However the boss (the one who needs the control to say who sees what and who can edit) is overwhelmed by Management Studio.
No I know that in just 16-20 hours I could put together a nice interface that uses SQL to manage the users.
It just seems silly for me to reinvent the wheel for what seams like it must be a common problem and must have been solved many times before. but searching on the web has not turned anything up.
I would rather something that I could package with my app (WPF/C#/Linq2Sql)
but if it was stand alone it would also be great as long as it was dummy proof.
While I am on the topic.
How do users usually change their sql passwords (when you are forced to used mixed authentication)?
Thanks

From Scott Guthrie's weblog:
If you haven’t watched this great online video yet you absolutely should. It walks through how to add Forms Authentication (using the <asp:login> control) with a secure Membership Credential Store + Role Based Security to a site, then implement pages that enable Registration (using the <asp:createuserwizard> control) + Change Password (using the <asp:changepassword> control) + Reset Password (using the <asp:recoverypassword> control), and then authorize page access and hide menu navigation links using the role groupings of the authenticated user. The video shows how to-do all of this from scratch in only 17 minutes. You can watch it here. You can also find other great ASP.NET “how to” videos here.
Easiest way to implement this kind of functionality, in my opinion, assuming you're building an ASP.NET front-end.
Edit:
Even though you're delivering a desktop app, I'd still build a web app, stick it on their intranet and then there's one place to go for user account stuff. It's just too easy.
Edit Again:
Look into the stored procedures that are called from the <asp:changepassword> and the <asp:createuserwizard> controls and replicate them from in your admin section.
The answer you're looking for:
Again, Scott Guthrie comes to the rescue:
Peter Kellner has a good article on the new ASP.NET 2.0 Membership and Roles Features, and then put together a very useful sample that demonstrates how to implement a set of admin data-pages on top of the ASP.NET 2.0 Membership and Role Management system to allow you to remotely administer your users and roles. His sample is available to download in source format -- so you can integrate it within your applications to provide a remote management experience for users/roles that works well in a hosting environment.
Update: Check out Juval's article and sample code on how to accomplish the same thing using a Windows Forms front-end and web-services. Very slick!
Updated: Juval has updated his code again to support three options:
1) The version mentioned in the magazine
2) A WCF (Indigo) version hosted in IIS
3) A WCF (Indigo) version with a custom server host in case IIS isn't an option
You can download all three versions here: http://www.idesign.net/idesign/temp/CredentialsManager.zip
Hope this helps,
Scott