576 Project 4 CREATING AN AIRLINE RESERVATION PORTAL
the authentication ticket for the user by using the GetAuthCookie method, add a reference to the System.Web.Security namespace in the default.aspx page and call the GetAuthCookie method of the FormsAuthentication class. The code snippet where you need to make the change is given as follows, and the changes made appear in bold format.
if (Role==”Disabled”)
{
lblMessage.Text=”Your account has been disabled. Please contact the network administrator.”;
return;
}
FormsAuthentication.GetAuthCookie(username,false); switch(Role)
{
case “Admin”:
After you have issued an authentication ticket to the user, you need to remove the ticket when the user logs off from the Web site. To remove the authentication ticket, use the SignOut method of the FormsAuthentication class in the Logoff.aspx form.The code for the Load event of the form, which implements the log off functionality, is given as follows:
private void Page_Load(object sender, System.EventArgs e)
{
Session.RemoveAll();
FormsAuthentication.SignOut();
}
When the user logs off from the Web site, the authentication ticket for the user is removed and the user has restricted access to the Web site.
Securing SQL Server
Although not directly in the purview of ASP.NET, you need to secure the SkyShark Airlines databases to ensure that the security aspects of the Web application are taken care of. In this section, I briefly describe the authentication process of SQL Server to help you secure SQL Server by using the optimal authentication mode.
SECURING THE APPLICATION |
Chapter 25 |
577 |
|
|
|
|
|
To access the resources on SQL Server 2000, you pass through two security stages. The first security stage is the authentication stage. In this stage, you need to enter a valid logon ID and password. After you pass this stage, you are connected to an instance of SQL Server 2000. The next stage is the authorization stage. In this stage, the exact permissions to be granted to a user to access different databases are decided. The user needs to have an account in each of the databases to which the user wants to connect and access resources. This stage also enables you to determine the extent of activities that a user can perform on a specified database. SQL Server 2000 uses two authentication modes:
Windows Authentication mode. The Windows Authentication mode enables you to connect to the SQL Server by using the Windows 2000 domain user account.
Mixed Authentication mode. The Mixed Authentication mode enables you to connect to the SQL Server either by using Windows authentication or by using SQL Server ID-based authentication. If either of the logon credentials is valid, you are able to connect to an instance of SQL Server 2000.
To configure the authentication mode on SQL Server, follow these steps:
1.Open SQL Server Enterprise Manager.
2.Right-click on the name of the SQL Server on which you want to configure authentication and select Properties. The SQL Ser ver Properties (Configure) dialog box will appear.
3.Click on the Security tab. The Security tab of the SQL Server Properties (Configure) dialog box is shown in Figure 25-3.
4.Select the authentication mode that you want to select from the Security section of the SQL Server Properties (Configure) dialog box and click on OK.