This ASP.NET Members Administration page assists
in using a single subfolder for "members only" access, and in administering
which users are allowed access. No database is required.
When building web sites, it is often requested to have a so-called "members
only" section, which is password protected.
The code in this project helps to implement "members only" access.
You can easily administer (see the image above) which users are allowed (add, modify
and delete users) in a single page.
This is done through ASP.NET Forms authentication, which is the most flexible for
applications on the web. In this project, the user names and passwords are stored
in web.config. Therefore, no database is needed.
As soon as a file with the extension aspx is stored in a special "members"
subfolder, automatically, it will be protected.
The user administration in this project is done in a single ASP.NET page (admin.aspx).
The data is saved in the web.config file.
Any user that is authenticated can add new users, delete existing ones, and reset
Of course, existing passwords can not be read, nor can they be changed without this
being detected by the user.
Using the code
You don't need any programming knowledge to implement this project. Just copy the
sample files to your website.
web.config and login.aspx should be in the root folder, admin.aspx should be in
the protected folder.
Both index.aspx files (one in the root and one in the protected folder) are provided
as samples. You should replace them with your own content.
To make it work on your site, move all files that should be protected (all files
that are "members only") into the "Members" folder, and rename
them with the .aspx extension (instead of .htm or .html). Of course, all links referring
these files should be updated too. Most HTML editors can do this automatically.
In the downloadable sample code, two users are already configured:
1) the user "admin", password "admin"
2) the user "John", password "123"
Log on with one of these credentials in order to add your own name and password.
Use this page URL: http://www.sitename.com/members/admin.aspx
(replace www.sitename.com with your own hostname).
The section that is protected is currently hard-coded as "Members".
When you want to use another folder for this section, then you have to modify the
project in 3 places:
- Rename the folder itself (or move the admin.aspx file to the other folder)
- Change the value of the "path" attribute for the "location"
element in web.config
- Modify the XPath-search string that is used twice in admin.aspx. Replace the word
"members" by the name of the folder that you use.
How it works
The authentication process is pretty straightforward, and can be found in most ASP.NET
First of all, ASP.NET Forms authentication is set in the web.config file (placed
in the root folder of the web site).
Users are added to the <credentials> element, with an encrypted password.
The program will update a section in web.config similar to this one:
<forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="999999">
<user name="admin" password="21232F297A57A5A743894A0E4A801FC3" />
<user name="John" password="202CB962AC59075B964B07152D234B70" />
Of course, from now on, you can add users and encrypted passwords through the administration
Once the credentials are added, the access is authorized for all users to all folders,
except to the special "members" folder.
This is the section that makes this happen, as produced by the program:
<allow users="admin" />
<allow users="John" />
<deny users="*" />
As an example, here's the procedure in VB.NET to modify a password in web.config:
Function ModifyPasswordInConfigFile(strUsername As String,strHash As String) As Boolean
ModifyPasswordInConfigFile = False
If (strUsername <> "") Then
Dim doc As New XmlDocument()
Dim strSel As String
strSel = "/configuration/system.web/authentication/forms/credentials/user[@name='" & _
strUserName & "']"
Dim node As XmlNode = doc.SelectSingleNode(strSel)
Dim element As XmlElement = CType(node,XmlElement)
ModifyPasswordInConfigFile = True
Catch ex As Exception
Here are some ideas for improvement:
- Prevent users from deleting themselves.
- Differentiate into 2 levels of users: simple users and administrators
- Extend the protection to HTML files, images, databases, etc.
- Add an option to add roles as well
- Add a textbox to choose the name of the "Members" folder
If anyone decides to extend this, or has any comments or questions then it would
be great to hear from you.
Points of interest
The code shows how to easily look up and modify elements in web.config configuration
files (or other XML files) by using XPath query strings.
This is the first version 1.0.