CREATE DATABASE webCREATE TABLE users( username nvarchar(64) CONSTRAINT users_PK PRIMARY KEY, password nvarchar(128), roles nvarchar(64))CREATE INDEX credentials ON users( username, password)格式
username |password |roles
"hstewart"|"codeproject" |"Administrator,User"
"joe" |"schmoe" |"User"web.config 的设置
<?xml version="1.0" encoding="utf-8" ?><configuration> <system.web> <compilation defaultLanguage="c#" debug="true" /> <customErrors mode="RemoteOnly" /> <authentication mode="Forms"> <forms name="MYWEBAPP.ASPXAUTH" loginUrl="login.aspx" protection="All" path="/"/> </authentication> <authorization> <allow users="*"/> </authorization> <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /> <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" /> <globalization requestEncoding="utf-8" responseEncoding="utf-8" /> </system.web><location path="administrators"> <system.web> <authorization> <!-- Order and case are important below --> <allow roles="Administrator"/> <deny users="*"/> </authorization> </system.web> </location> <location path="users"> <system.web> <authorization> <!-- Order and case are important below --> <allow roles="User"/> <deny users="*"/> </authorization> </system.web> </location></configuration>Global.asax
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; FormsAuthenticationTicket ticket = id.Ticket; // Get the stored user-data, in this case, our roles string userData = ticket.UserData; string[] roles = userData.Split(','); HttpContext.Current.User = new GenericPrincipal(id, roles);
} } }
} System.Web .HttpApplication app=((HttpApplication)sender); System.Web.HttpContext ctx=app.Context; if (ctx.Request .IsAuthenticated)login.aspx
private void Button1_Click(object sender, System.EventArgs e) { // Initialize FormsAuthentication, for what it's worth FormsAuthentication.Initialize(); // Create our connection and command objects SqlConnection conn = new SqlConnection("server=localhost;database=web;User ID=sa;password="); SqlCommand cmd = conn.CreateCommand(); cmd.CommandText = "SELECT roles FROM users WHERE username=@username " + "AND password=@password"; // Fill our parameters cmd.Parameters.Add("@username", SqlDbType.NVarChar, 64).Value = Username.Text; cmd.Parameters.Add("@password", SqlDbType.NVarChar, 128).Value = Password.Text; // Or "sha1" // Execute the command conn.Open(); SqlDataReader reader = cmd.ExecuteReader(); if (reader.Read()) { // Create a new ticket used for authentication FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, // Ticket version Username.Text, // Username associated with ticket DateTime.Now, // Date/time issued DateTime.Now.AddMinutes(30), // Date/time to expire true, // "true" for a persistent user cookie reader.GetString(0), // User-data, in this case the roles FormsAuthentication.FormsCookiePath);// Path cookie valid for // Encrypt the cookie using the machine key for secure transport string hash = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, // Name of auth cookie hash); // Hashed ticket // Set the cookie's expiration time to the tickets expiration time if (ticket.IsPersistent) cookie.Expires = ticket.Expiration; // Add the cookie to the list for outgoing response Response.Cookies.Add(cookie); // Redirect to requested URL, or homepage if no previous page // requested string returnUrl = Request.QueryString["ReturnUrl"]; if (returnUrl == null) returnUrl = "/"; // Don't call FormsAuthentication.RedirectFromLoginPage since it // could // replace the authentication ticket (cookie) we just added Response.Redirect(returnUrl); } else { // Never tell the user if just the username is password is incorrect. // That just gives them a place to start, once they've found one or // the other is correct! ErrorLabel.Text = "Username / password incorrect. Please try again."; ErrorLabel.Visible = true; } reader.Close(); conn.Close(); }
在根目录下建
administrators 目录
users 目录
两个目录下分别建调用页面
调用页面内容
private void Page_Load(object sender, System.EventArgs e) { // 在此处放置用户代码以初始化页面 if (User.IsInRole("Administrator")) this.Response .Write ("Administrator"); if (User.IsInRole ("User")) this.Response .Write ("User"); }