HomeASP.NET ASP.NET 3.5 Basic User Account Management
ASP.NET 3.5 Basic User Account Management
User account management is an important topic in ASP.NET 3.5 web development. Since websites will be deployed on the Internet, where users need to interact, user account management is essential to provide the website's required functionality (involving user interaction). This article will show you the basics of using the ASP.NET 3.5 membership system.
Examples of the functionality that a user account management system can provide are the following:
Registering users for the website. If your website accepts some form of membership, then you will need to define that in ASP.NET's user management system.
Providing security to administrative folders. Of course this is necessary, since the website will be deployed on the Internet. Without user management, any user can access administrative folders. These folders are meant to be accessed only by the website's administrators.
Limiting access to public users. Public and anonymous users are the same. So if your website offers some benefits for the members (registered users) such as free access to downloadable materials, then you need to restrict unregistered, anonymous users from accessing those folders.
Overview of ASP.NET 3.5 Membership System
To manage user-related accounts, you need to enable the ASP.NET 3.5 membership system. This is done at the website development stage, where the website administrators and initial sets of users are defined.
Understanding ASP.NET 3.5's membership system is simple. The overall functionality/features of this membership system can be visualized in the hierarchy chart below:
To enable the ASP.NET membership system, you need to select two types of authentication. For Internet/ website applications, you need to choose Internet- based authentication using web forms. Windows-based authentication is commonly used in corporate LAN/intranet applications.
Once you have enabled your website to accept Internet-based authentication, you need to add users and categorize them according to “roles.” The three most common types of roles are the administrator, registered users and public/anonymous.
Roles are used in defining the access rights for every user of the website. For example, in the hierarchy chart above, the administrator can access all of the website's files and folders, whereas the registered users can only access folders meant for them. The public users (non-registered members of the website) are only allowed to access the normal web pages designed for browsing and information purposes.
As in web forums, administrators can control all of the files, and the registered members can post, reply or create new threads, while the public users are only allowed to read the thread posts. For public users to have access rights in creating threads or replying to any post, they will need to become registered users of the forum.
Let’s have some sort of an example that shows how to create and manage ASP.NET membership at the website development stage:
Step 1. Launch your Visual Web Developer Express 2008, create an ASP.NET website project ( ) and name that project “websitemembershipexample.”
Step 2. Go to View -> Solution Explorer.
Step 3. Click the Windows path of your website under Solution Explorer, for example “E:aspdotnetprojectswebsitemembershipexample”. Clicking on it will highlight the selected item.
Step 4. Right click on the highlighted item and click “New Folder.” See screen shot below:
Step 5. You need to create three folders and name them Admin, Public, and Registered.
Step 6. Go to File -> Save all to save changes.
According to the hierarchy discussed in the previous section, you need first to enable ASP.NET membership using Internet/form-based authentication before you can define roles and access rights.
For this example, say you have the following roles and access rights definitions:
“Admin” folder = allows only administrators, and denies access to others.
"Registered” folder = allows only administrators and registered users and denies access to anonymous users.
“Public” folder– allows access to anyone.
To enable form-based authentication (for a web/Internet application), follow the steps below:
Step 1. In Visual Web Developer, go to Website -> ASP.NET Configuration.
Step 2. The administration console will be launched in a web browser.
Step 3. Under “Welcome to the Web Site Administration Tool,” click the “Security” link.
Step 4. Click “Select Authentication Type” link under “Users.”
Step 5. Under the selection “How will users access your site?”, select “From the Internet” and click “Done” button.
Now that you have enabled form-based authentication, let’s add a sample set of users by clicking the “Create User” link under “Users.”
You need to fill in everything, including a difficult set of passwords and a security question.
Let’s add at least two users, one as an administrator and one as a registered user of the website.
For this sample website, below are the users and their roles (assigning users to their role will be discussed in the next section):
CodexM Role name: administrator
RegisteredUser Role name: WebsiteRegisteredUser
Now click the button “Create User” and finally “Continue.” If you have finished adding users, click the “Home” link in the navigation menu of the website administration tool.
In the upcoming set of ASP.NET user management tutorials, you will learn how to do this directly on an ASP.NET web page, so that any website visitors can register with your website automatically, without going to the website administration tool.
Since there are now at least two users for the sample website, let’s assign roles to them.
To assign roles, follow the steps below:
Step 1. Click the “Security” link.
Step 2. Under “Roles,” click “Enable roles.”
Step 3. Under “Roles,” click “Create or Manage roles.”
Step 4. The tool will ask you to give a “new role name.” You need to add two roles, Administrator and WebsiteRegisteredUser.
Type Administrator and then click the “Add role” button. Do the same for WebsiteRegisteredUser.
Step 5. Now that the roles are created, you need to add users to fill that role. Let’s add the user CodexM to fill the Administrator role. For the Administrator role, click the “Manage” link under “Add/Remove Users.”
Step 6. Type the username in the “Search for Users” and then check the box under “User Is in Role.”
Step 7. Click “Back” and then do the same for the “WebsiteRegisteredUser” role by adding “RegisteredUser” to that role.
Now that the roles and users are completely defined, you can now assign access rules to them. For this example, you will need:
1. Administrator role – accesses admin folders and other folders
2 . WebsiteRegisteredUser role – accesses only “Registered” and “Public” folders in your website. They will not be allowed to access “Admin” folders.
To assign access rules for those two roles, follow the steps below:
Step 1. In the Web Site Administrator tool, go to “Home” and then click the “Security” link.
Step 2. Under “Access Rules,” click “Create access rules.”
Step 3. To let the “Administrator” role access the “Admin” folder, click the “Admin” folder under “Select a directory for this rule.”
Step 4. Then under “Role” select “Administrator” from the drop down list. Set “Permission” to “Allow,” and click “OK.”
Step 5. Since you need to deny “WebsiteRegisteredUser” access to the “Admin” folder, click “Create access rules” again, click the “Admin” folder again, and then set the Role to “WebsiteRegisteredUser.”
Step 6. Under “Permission,” select “Deny” and then click OK.
Step 7. You need to prevent anonymous users from accessing the admin folders as well. In the “Create access rules,” select “Anonymous users.” Under "Permission" click “Deny” and then click OK.
When you click “Manage access rules” under “Access rules,” you should see this access rights table for the “Admin” folder (configured using the above steps):
Use the same method for assigning access rights to “Registered” and “Public” folders, and you should get results that resemble the screen shot below:
IMPORTANT: When you enable ASP.NET membership, set roles and define access rights, what you have done is stored in an automatically-created MS SQL server database named “ASPNETDB.MDF” under the App_Data folder in your website root directory.
If your website hosting company only allows you to use one MS SQL server database, you can use ASPNETDB.MDF database for your website applications as well as for user account management purposes. This can be done by creating new database tables for your website applications under “Tables.”
Implement Gzip and Deflate Compression in ASP.Net
