Forms Authentication Using An XML Users File

In this scenario, the client requests a protected resource, Default.aspx. There are two directories (FormsAuth and AddUser) and six files used in this application example. They are arranged as follows.

\FormsAuth (Web.config, Default.aspx, Logon.aspx, Users.xml)
\AddUser (Web.config, AddUser.aspx)

The FormsAuth directory is the application root.

In the security section of the Web.config file located in the FormsAuth directory, the authorization is set so that only authenticated users can access this directory. Also, the authentication mode is set to Forms, so ASP.NET tries to find a cookie that is attached to the request. If it finds none, it redirects the request to a logon page (Logon.aspx). There, the client user enters the required credentials (e-mail name and password). The page compares the entered credentials to a list of credentials in an XML file (Users.xml). If a match is found, the request is considered authenticated and the client is redirected to the originally requested resource (Default.aspx). If no match is found, the request is redirected to the Add User page (AddUser.aspx). The Web.config file located in this AddUser directory has authorization set to allow everyone access. There, the newly entered credentials are encoded and added to the XML file (Users.xml).

The following six files associated with this example:

  • Three .aspx files (Default.aspx, Logon.aspx, and AddUser.aspx).
  • Two configuration files (both are named Web.config, but one is located in the application root directory and the other is located in the AddUser directory).
  • One XML file (Users.xml) that contains user credentials.

In This Section

Designing Secure ASP.NET Applications