// .NET Service Configuration V2.0 for Design Considerations for Service-Oriented Applications based on Windows Communication Foundation. Created with Microsoft .NET Framework 3.5 and Microsoft Visual Studio. Copyright 2008, Microsoft Corporation. using System; using System.Web; using System.Web.Security; using System.Web.UI; using System.Collections.Generic; using System.ServiceModel; using System.Threading; using Trade.StockTraderWebApplicationSettings; using Trade.StockTraderWebApplicationModelClasses; using Trade.StockTraderWebApplicationServiceClient; using Trade.Utility; namespace Trade.Web { /// /// Performs authenticated login and sets FormsAuth cookie if user is authenticated against registered users DB. /// public partial class Login : System.Web.UI.Page { protected override void OnLoad(EventArgs e) { Date.Text = DateTime.Now.ToString("f"); if (IsPostBack) processLogin(); } protected void processLogin() { Page.Validate(); if (Page.IsValid) { //Authenticate the user against Trade AccountProfile Table for non-admin (normal users), //or authenticate against the configuration system users table if administrator. //Notes on security: //We are using ASP.NET Forms authentication, which automates the authentication process against //either a simple list of valid users, backend database of registered users (StockTrader uses this mechanism), //Windows Active Directory, or any pluggable mechanism based on the extensibility of Forms Authentication in ASP.NET 2.0. //Via Forms Authentication, ASP.NET provides automatic authentication for restricted pages, and automates redirects to login forms //such as this one. ASP.NET Forms authentication defaults to use SHA1 for HMAC Generation and AES for //Encryption, which is recommended. The key to securing .NET StockTrader is to use "Protection="All" //for the forms authentication directive in web.config, and just as importantly, an application such as this in production //would be run over SSL for all authenticated pages identified as restricted via ASP.NET Forms Authentication. //An excellent security Patterns and Practices resource on how to secure Internet applications can be //found at: // http://msdn2.microsoft.com/en-us/library/aa302415.aspx // //Information on Forms Authentication, encryption and using Forms Authentication with SSL is available at: // // http://msdn2.microsoft.com/en-us/library/ms998310.aspx string userID = Input.InputText(Request["uid"], StockTraderUtility.USERID_MAX_LENGTH); string password = Input.InputText(Request["password"], StockTraderUtility.PASSWORD_MAX_LENGTH); AccountDataUI customer = null; try { BSLClient businessServicesClient = new BSLClient(); customer = businessServicesClient.login(userID, password); } catch (Exception e) { if (e.Message.Contains(StockTraderUtility.EXCEPTION_WEBSPHERE_USERID_NOTFOUND)) customer = null; else throw; } if (customer == null) { InValid.Text = StockTraderUtility.EXCEPTION_MESSAGE_INVALID_LOGIN; } else { FormsAuthentication.SetAuthCookie(customer.profileID, false); Response.Redirect(Settings.PAGE_HOME,true); } } } } }