Administration page for a "Members only" section

• Download source files - 5.35 Kb

Introduction

When building web sites, it is often requested to have a so-called "members only" section, which is password protected.

The code in this project helps to implement "members only" access. You can easily administer (see the image above) which users are allowed (add, modify and delete users) in a single page.

This is done through ASP.NET Forms authentication, which is the most flexible for applications on the web. In this project, the user names and passwords are stored in web.config. Therefore, no database is needed.

As soon as a file with the extension aspx is stored in a special members subfolder, automatically, it will be protected.

The user administration in this project is done in a single ASP.NET page (admin.aspx). The data is saved in the web.config file. Any user who is authenticated can add new users, delete existing ones, and reset passwords. Of course, existing passwords cannot be read, nor can they be changed without this being detected by the user.

Using the code

You don't need any programming knowledge to implement this project. Just copy the sample files to your website.

web.config and login.aspx should be in the root folder and admin.aspx should be in the protected folder. Both index.aspx files (one in the root and one in the protected folder) are provided as samples. You should replace them with your own content.

To make it work on your site, move all files that should be protected (all files that are "members only") into the Members folder, and rename them with the .aspx extension (instead of .htm or .html). Of course, all links referring these files should be updated too. Most HTML editors can do this automatically.

In the downloadable sample code, two users are already configured:

1. the user "admin", password "admin"
2. the user "John", password "123"

Log on with one of these credentials in order to add your own name and password. Use this page URL: http://www.sitename.com/members/admin.aspx (replace http://www.sitename.com/ with your own hostname).

The section that is protected is currently hard-coded as "Members".

When you want to use another folder for this section, then you have to modify the project in 3 places:

1. Rename the folder itself (or move the admin.aspx file to the other folder).
2. Change the value of the path attribute for the location element in web.config.
3. Modify the XPath-search string that is used twice in admin.aspx. Replace the word "members" by the name of the folder that you use.

How it works

The authentication process is pretty straightforward, and can be found in most ASP.NET tutorials.

First of all, ASP.NET Forms authentication is set in the web.config file (placed in the root folder of the web site).

Users are added to the <credentials> element, with an encrypted password. The program will update a section in web.config similar to this one:

<authentication mode="Forms">
   <forms name=".ASPXAUTH" loginUrl="login.aspx" 
                      protection="All" timeout="999999">
      <credentials passwordFormat="MD5">
          <user name="admin" password="21232F297A57A5A743894A0E4A801FC3" />
          <user name="John" password="202CB962AC59075B964B07152D234B70" />
      </credentials>
   </forms>
</authentication>

Of course, from now on, you can add users and encrypted passwords through the administration web page.

Once the credentials are added, the access is authorized for all users to all folders, except to the special members folder. This is the section that makes this happen, as produced by the program:

<location path="members">
    <system.web>
      <authorization>
        <allow users="admin" />
        <allow users="John" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

As an example, here's the procedure in VB.NET to modify a password in web.config:

Function ModifyPasswordInConfigFile(strUsername _
                  As String,strHash As String) As Boolean

        ModifyPasswordInConfigFile = False
        If strUsername <> "" Then
            Try
                ' Open web.config file

                Dim doc As New XmlDocument()
                doc.Load(Server.MapPath("../web.config"))

                Dim strSel As String
                ' Use an XPath query to look up the

                ' user element in this configuration having 

                ' a matching "name" attribute

                strSel = "/configuration/system.web/" & _
                         "authentication/forms/credentials/user[@name='" & _
                         strUserName & "']"
                Dim node As XmlNode = doc.SelectSingleNode(strSel)
                ' Modify the element

                Dim element As XmlElement = CType(node,XmlElement)
                element.SetAttribute("password",strHash)

                ' Save the configuration

                doc.Save(Server.MapPath("../web.config"))
                ModifyPasswordInConfigFile = True
            Catch ex As Exception
                Trace.Warn(ex.ToString())
            End Try
        End If

    End Function

Future

Here are some ideas for improvement:

1. Prevent users from deleting themselves.
2. Differentiate into 2 levels of users: simple users and administrators.
3. Extend the protection to HTML files, images, databases, etc.

If anyone decides to extend this, or has any comments or questions, then it would be great to hear from you.

Points of interest

The code shows how to easily look up and modify elements in web.config configuration files (or other XML files) by using XPath query strings.

History

This is the first version 1.0.