When building web sites, it is often requested to have a so-called "members
only" section, which is password protected.
The code in this project helps to implement "members only" access. You can
easily administer (see the image above) which users are allowed (add, modify and
delete users) in a single page.
This is done through ASP.NET Forms authentication, which is the most flexible
for applications on the web. In this project, the user names and passwords are
stored in web.config. Therefore, no database is needed.
As soon as a file with the extension aspx is stored in a special
members subfolder, automatically, it will be protected.
The user administration in this project is done in a single ASP.NET page
(admin.aspx). The data is saved in the web.config file. Any user
who is authenticated can add new users, delete existing ones, and reset
passwords. Of course, existing passwords cannot be read, nor can they be changed
without this being detected by the user.
Using the code
You don't need any programming knowledge to implement this project. Just copy
the sample files to your website.
web.config and login.aspx should be in the root folder and
admin.aspx should be in the protected folder. Both index.aspx
files (one in the root and one in the protected folder) are provided as samples.
You should replace them with your own content.
To make it work on your site, move all files that should be protected (all
files that are "members only") into the Members folder, and rename them
with the .aspx extension (instead of .htm or .html). Of course,
all links referring these files should be updated too. Most HTML editors can do
In the downloadable sample code, two users are already configured:
- the user "admin", password "admin"
- the user "John", password "123"
Log on with one of these credentials in order to add your own name and
password. Use this page URL: http://www.sitename.com/members/admin.aspx (replace http://www.sitename.com/ with your own
The section that is protected is currently hard-coded as "Members".
When you want to use another folder for this section, then you have to modify
the project in 3 places:
- Rename the folder itself (or move the admin.aspx file to the other
- Change the value of the
path attribute for the
location element in web.config.
- Modify the XPath-search string that is used twice in admin.aspx.
Replace the word "members" by the name of the folder that you use.
How it works
The authentication process is pretty straightforward, and can be found in
most ASP.NET tutorials.
First of all, ASP.NET Forms authentication is set in the web.config
file (placed in the root folder of the web site).
Users are added to the
<credentials> element, with an
encrypted password. The program will update a section in web.config
similar to this one:
<forms name=".ASPXAUTH" loginUrl="login.aspx"
<user name="admin" password="21232F297A57A5A743894A0E4A801FC3" />
<user name="John" password="202CB962AC59075B964B07152D234B70" />
Of course, from now on, you can add users and encrypted passwords through the
administration web page.
Once the credentials are added, the access is authorized for all users to all
folders, except to the special members folder. This is the section that
makes this happen, as produced by the program:
<allow users="admin" />
<allow users="John" />
<deny users="*" />
As an example, here's the procedure in VB.NET to modify a password in
Function ModifyPasswordInConfigFile(strUsername _
As String,strHash As String) As Boolean
ModifyPasswordInConfigFile = False
If strUsername <> "" Then
Dim doc As New XmlDocument()
Dim strSel As String
strSel = "/configuration/system.web/" & _
"authentication/forms/credentials/user[@name='" & _
strUserName & "']"
Dim node As XmlNode = doc.SelectSingleNode(strSel)
Dim element As XmlElement = CType(node,XmlElement)
ModifyPasswordInConfigFile = True
Catch ex As Exception
Here are some ideas for improvement:
- Prevent users from deleting themselves.
- Differentiate into 2 levels of users: simple users and administrators.
- Extend the protection to HTML files, images, databases, etc.
If anyone decides to extend this, or has any comments or questions, then it
would be great to hear from you.
Points of interest
The code shows how to easily look up and modify elements in web.config
configuration files (or other XML files) by using XPath query strings.
This is the first version 1.0.