• Download source and demo files - 6 Kb

Introduction

When building web sites, it is often requested to have a so-called "members only" section, which is password protected.

The code in this project helps to implement "members only" access.
You can easily administer (see the image above) which users are allowed (add, modify and delete users) in a single page. 

This is done through ASP.NET Forms authentication, which is the most flexible for applications on the web. In this project, the user names and passwords are stored in web.config. Therefore, no database is needed.

As soon as a file with the extension aspx is stored in a special "members" subfolder, automatically, it will be protected.

The user administration in this project is done in a single ASP.NET page (admin.aspx). The data is saved in the web.config file. 
Any user that is authenticated can add new users, delete existing ones, and reset passwords. 
Of course, existing passwords can not be read, nor can they be changed without this being detected by the user.

Using the code

You don't need any programming knowledge to implement this project. Just copy the sample files to your website.

web.config and login.aspx should be in the root folder, admin.aspx should be in the protected folder.
Both index.aspx files (one in the root and one in the protected folder) are provided as samples. You should replace them with your own content.

To make it work on your site, move all files that should be protected (all files that are "members only") into the "Members" folder, and rename them with the .aspx extension (instead of .htm or .html). Of course, all links referring these files should be updated too. Most HTML editors can do this automatically.

In the downloadable sample code, two users are already configured:

1) the user "admin", password "admin"
2) the user "John", password "123"

Log on with one of these credentials in order to add your own name and password. Use this page URL: http://www.sitename.com/members/admin.aspx (replace www.sitename.com with your own hostname).

The section that is protected is currently hard-coded as "Members".

When you want to use another folder for this section, then you have to modify the project in 3 places:

1. Rename the folder itself (or move the admin.aspx file to the other folder)
2. Change the value of the "path" attribute for the "location" element in web.config
3. Modify the XPath-search string that is used twice in admin.aspx. Replace the word "members" by the name of the folder that you use.

How it works

The authentication process is pretty straightforward, and can be found in most ASP.NET tutorials.

First of all, ASP.NET Forms authentication is set in the web.config file (placed in the root folder of the web site).

Users are added to the <credentials> element, with an encrypted password.
The program will update a section in web.config similar to this one:

<authentication mode="Forms">
   <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="999999">
      <credentials passwordFormat="MD5">
          <user name="admin" password="21232F297A57A5A743894A0E4A801FC3" />
          <user name="John" password="202CB962AC59075B964B07152D234B70" />
      </credentials>
   </forms>
</authentication>

Of course, from now on, you can add users and encrypted passwords through the administration web page.

Once the credentials are added, the access is authorized for all users to all folders, except to the special "members" folder.
This is the section that makes this happen, as produced by the program:

<location path="members">
   <system.web>
      <authorization>
         <allow users="admin" />
         <allow users="John" />
         <deny users="*" />
      </authorization>
   </system.web>
</location>

As an example, here's the procedure in VB.NET to modify a password in web.config:

Function ModifyPasswordInConfigFile(strUsername As String,strHash As String) As Boolean

    ModifyPasswordInConfigFile = False
    If (strUsername <> "") Then
        Try
            ' Open web.config file
            Dim doc As New XmlDocument()
            doc.Load(Server.MapPath("../web.config"))

            Dim strSel As String
            ' Use an XPath query to look up the user element in this configuration having 
            ' a matching "name" attribute
            strSel = "/configuration/system.web/authentication/forms/credentials/user[@name='" & _
                           strUserName & "']"
            Dim node As XmlNode = doc.SelectSingleNode(strSel)
            ' Modify the element
            Dim element As XmlElement = CType(node,XmlElement)
            element.SetAttribute("password",strHash)

            ' Save the configuration
            doc.Save(Server.MapPath("../web.config"))
            ModifyPasswordInConfigFile = True
        Catch ex As Exception
            Trace.Warn(ex.ToString())
        End Try
    End If

End Function

Future

Here are some ideas for improvement:

1. Prevent users from deleting themselves.
2. Differentiate into 2 levels of users: simple users and administrators
3. Extend the protection to HTML files, images, databases, etc.
4. Add an option to add roles as well
5. Add a textbox to choose the name of the "Members" folder

If anyone decides to extend this, or has any comments or questions then it would be great to hear from you.

Points of interest

The code shows how to easily look up and modify elements in web.config configuration files (or other XML files) by using XPath query strings.

History

This is the first version 1.0.

• Download source and demo files - 6 Kb