ASP.NET 2.0 (and better) provide excellent built-in functionality for managing users, memberships, and roles which we've used in many of our projects for securing site administration portals, intranets, and more.  However there is one major problem.

The Problem

ASP.NET does not handle folder based security properly. By default ASP.NET's httphandler only handles certain file types (a list of the file types and descriptions can be found here).  The web.config file allows you to specify specific users and roles that can access the files within a specific director; however, because of the deficiency in the httphandler file type support, non-supported file types are not protected.  For example: we used forms authentication to deny unauthenticated users access from our /Secure directory.  Thus http://www.XeroOne.com/secure/default.aspx is protected, but http://www.XeroOne.com/secure/not-secure.html is still accessible by anyone.

On Linux and Apache servers, the .htaccess file is a good solution for protecting entire directories, and it can be used in a Windows environment, but it is not a good solution in our case as it takes the user authentcation control away from ASP.NET Membership.  What we needed was a solution that allowed us to continue to use ASP.NET Membership to manage and authenticate our users, but to also protect Non-ASP.NET files for an entire directy.

The Solution

There is no catch-all solution that will work in every scenario.  What we've developed is a GOOD system that handles the most common cases, and even a few of the more uncommon.  Our solution does require that you have access to IIS 6.0 administation in order to implement.  If you're using a shared hosting environment, then our solution simply isn't for you.

In short, all we're doing is creating additional entries in IIS' httphandler.  You'll need to determine ahead of time, what file types you will need to protect, for simplicity, this example will show you how to add proction for .html, .pdf, and .doc.

Step 1: Add the IIS entries

1. Open IIS 6.0, choose your virtual director, and open the configuration properties window (right-click, choose properties). 
   
2. Click on the "Home Directory" tab and click on "Configuration".
3. Select the ".aspx" extension in the list, and click on the "Edit" button. Copy the path found in the "Executible" textbox (path to aspnet_isapi.dll).
4. Click on the "Cancel" button to clode the "Add/Edit Application Extension Mapping" window.
5. Click on the "Add" button in the "Application Configuration" window.
   
6. Paste the coppied path to aspnet_isapi.dll in the executable text area.
7. Type the extension you are adding in the extention text area. This can be any extention you want. ie: .html, .pdf, .doc, etc...
8. Choose the "Limit to" radio button and type "GET,HEAD,POST,DEBUG" in the textbox.
9. Ensure the "Script engine" checkbox is selected, and the "Check that file exists" checkbox is deselected.
10. Click on the "Ok" button to finalize the process and close the window.
11. Repeat steps 5 - 10 for each file extetion you will be adding.

Step 2: Update the application's web.config

1. Open the web.config file for your application to edit
2. Find the section of xml for <httpHandlers>
3. Within this section add the following entry for each file extention you added to IIS:
           <add verb="GET,HEAD,POST,DEBUG" path="*.html"
                    type="System.Web.UI.PageHandlerFactory"/>
4. Note: replace "*.html" with whatever extention you are adding
5. Find the section of xml for <compilation> and ensure the definiton appears as below:
           <compilation debug="false" strict="false" explicit="true">
6. Within the <buildProviders> section, add the following entry for each file extention you added in IIS:
           <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />

When you are complete, your web.config sections should appear as follows:

<httpHandlers>

        <add verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory"/>

        <add verb="GET, HEAD, POST, DEBUG" path="*.pdf" type="System.Web.UI.PageHandlerFactory"/>

        <add verb="GET, HEAD, POST, DEBUG" path="*.doc" type="System.Web.UI.PageHandlerFactory"/>

</httpHandlers>

and

<compilation debug="false" strict="false" explicit="true">

        <buildProviders>

                <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />

                <add extension=".pdf" type="System.Web.Compilation.PageBuildProvider" />

                <add extension=".doc" type="System.Web.Compilation.PageBuildProvider" />    

        </buildProviders>

</compilation>

That's it.  You're done!

When you’re ready to publish your website and make your presence known to the world, one of the first things you’ll need to do is decide which web hosting package is best for you and your web needs. There are a lot of hosting firms out there. The more you know the better you will be able to make a decision that will keep you happy with your hosting provider. If you’re looking for some ideas to help guide you through the search, here are some important things to keep in mind that may help you.

1. Easy, Intuitive Interface

Managing a website can include a lot of complex programs and a lot of working parts. Luckily, some web hosting providers have created simple, intuitive navigation protocols. Look for hosts that offer a work environment similar to what you usually use, such as a Windows-style interface.

2. Versatile Emailing

When you manage a website, the primary means of communicating with your visitors and users on a one-to-one basis is through email. Email may seem basic, but good email systems are something you should make sure your potential web host has covered. For example, look for POP3 email and alias capabilities.

3. Backups and Virus Protection

Another important characteristic of an affordable web hosting package is the features included to protect your web presence. It is vital that your plan include some sort of auto backup feature as well as some sort of virus screening or protection.

4. FTP, Virtual FTP

You will want to be able to access and modify your files remotely. You will also want to have flexible control over how you upload your vital files. FTP services make managing crucial web assets easy.

5. MySQL and PHP

Among the most effective and powerful programming tools available to web developers is the PHP language and the MySQL protocol. Using these industry standards will help keep you compatible with a variety of web browsers and back-end applications.

6. Free Statistics Tracking

Today, most web-hosting packages should provide free or at least inexpensive web analytics. These tools can help you track who is coming to your site, when and how often.

7. SPAM Program

With the unbelievable amount of spam mail flying around the Internet today, it is imperative that any new hosting package includes a filter to protect your inbox from spam attacks. Otherwise, you could spend a lot of time sorting through unwanted messages.

8. Security Protection

Any web hosting package worth its salt should obviously be secure. Check to be sure that the provider offers SSH security shells. These can be especially useful for ecommerce solutions and subscription functions. They also makes managing secure files easy.

9. HTTPS Functions

This sort of protection should be available as a standard or inexpensive feature. It tells you and your ecommerce customers that personal information and order details remain secure during transit.

10. Webmail Access

Of course, you want your email to be accessible even when you are not at your personal computer. Having a webmail account enables you to stay in reach of important emails from any active web connection.

It seems like every web project we develop requires the use of a States DropDownList.  Rather than manually binding an <asp:dropdownlist /> with individual <asp:ListItem /> tags, we use a database table of all US States containing both the state name, and the state abbreviation. We can then run a "Select All" query on this table and bind the results to the States drop down list.

Here's the creation script for the database table:

CREATE TABLE [dbo].[US_States](
    [StateID] [int] IDENTITY(1,1) NOT NULL,
    [StateName] [varchar](100) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL,
    [StateAbbreviation] [varchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL,
 CONSTRAINT [PK_US_States] PRIMARY KEY CLUSTERED 
(
    [StateID] ASC
)WITH (PAD_INDEX  = OFF, IGNORE_DUP_KEY = OFF) ON [PRIMARY]
) ON [PRIMARY]
GO

This creates a database table named US_States with three fields: StateID (auto-incremented primary key), StateName (the full state name spelled out), StateAbbreviation (the two character state code).

Next we need to fill the table with all the US States. Here's the script:

insert into US_States (StateName,StateAbbreviation) values ('ALABAMA','AL');
insert into US_States (StateName,StateAbbreviation) values ('ALASKA ','AK');
insert into US_States (StateName,StateAbbreviation) values ('ARIZONA','AZ');
insert into US_States (StateName,StateAbbreviation) values ('ARKANSAS','AR');
insert into US_States (StateName,StateAbbreviation) values ('CALIFORNIA','CA');
insert into US_States (StateName,StateAbbreviation) values ('COLORADO','CO');
insert into US_States (StateName,StateAbbreviation) values ('CONNECTICUT','CT');
insert into US_States (StateName,StateAbbreviation) values ('DELAWARE','DE');
insert into US_States (StateName,StateAbbreviation) values ('DISTRICT OF COLUMBIA','DC');
insert into US_States (StateName,StateAbbreviation) values ('FLORIDA','FL');
insert into US_States (StateName,StateAbbreviation) values ('GEORGIA','GA');
insert into US_States (StateName,StateAbbreviation) values ('HAWAII ','HI');
insert into US_States (StateName,StateAbbreviation) values ('IDAHO','ID');
insert into US_States (StateName,StateAbbreviation) values ('ILLINOIS','IL');
insert into US_States (StateName,StateAbbreviation) values ('INDIANA','IN');
insert into US_States (StateName,StateAbbreviation) values ('IOWA','IA');
insert into US_States (StateName,StateAbbreviation) values ('KANSAS','KS');
insert into US_States (StateName,StateAbbreviation) values ('KENTUCKY','KY');
insert into US_States (StateName,StateAbbreviation) values ('LOUISIANA','LA');
insert into US_States (StateName,StateAbbreviation) values ('MAINE','ME');
insert into US_States (StateName,StateAbbreviation) values ('MARYLAND','MD');
insert into US_States (StateName,StateAbbreviation) values ('MASSACHUSETTS','MA');
insert into US_States (StateName,StateAbbreviation) values ('MICHIGAN','MI');
insert into US_States (StateName,StateAbbreviation) values ('MINNESOTA','MN');
insert into US_States (StateName,StateAbbreviation) values ('MISSISSIPPI','MS');
insert into US_States (StateName,StateAbbreviation) values ('MISSOURI','MO');
insert into US_States (StateName,StateAbbreviation) values ('MONTANA','MT');
insert into US_States (StateName,StateAbbreviation) values ('NEBRASKA','NE');
insert into US_States (StateName,StateAbbreviation) values ('NEVADA ','NV');
insert into US_States (StateName,StateAbbreviation) values ('NEW HAMPSHIRE','NH');
insert into US_States (StateName,StateAbbreviation) values ('NEW JERSEY','NJ');
insert into US_States (StateName,StateAbbreviation) values ('NEW MEXICO','NM');
insert into US_States (StateName,StateAbbreviation) values ('NEW YORK','NY');
insert into US_States (StateName,StateAbbreviation) values ('NORTH CAROLINA','NC');
insert into US_States (StateName,StateAbbreviation) values ('NORTH DAKOTA','ND');
insert into US_States (StateName,StateAbbreviation) values ('OHIO','OH');
insert into US_States (StateName,StateAbbreviation) values ('OKLAHOMA','OK');
insert into US_States (StateName,StateAbbreviation) values ('OREGON ','OR');
insert into US_States (StateName,StateAbbreviation) values ('PENNSYLVANIA','PA');
insert into US_States (StateName,StateAbbreviation) values ('PUERTO RICO','PR');
insert into US_States (StateName,StateAbbreviation) values ('RHODE ISLAND','RI');
insert into US_States (StateName,StateAbbreviation) values ('SOUTH CAROLINA','SC');
insert into US_States (StateName,StateAbbreviation) values ('SOUTH DAKOTA','SD');
insert into US_States (StateName,StateAbbreviation) values ('TENNESSEE','TN');
insert into US_States (StateName,StateAbbreviation) values ('TEXAS','TX');
insert into US_States (StateName,StateAbbreviation) values ('UTAH','UT');
insert into US_States (StateName,StateAbbreviation) values ('VERMONT','VT');
insert into US_States (StateName,StateAbbreviation) values ('U.S. VIRGIN ISLANDS','VI');
insert into US_States (StateName,StateAbbreviation) values ('VIRGINIA','VA');
insert into US_States (StateName,StateAbbreviation) values ('WASHINGTON','WA');
insert into US_States (StateName,StateAbbreviation) values ('WEST VIRGINIA','WV');
insert into US_States (StateName,StateAbbreviation) values ('WISCONSIN','WI');
insert into US_States (StateName,StateAbbreviation) values ('WYOMING','WY');

This data was obtained from the US Postal Service. It does contain additional US territories that the USPS ships to. If you don't want to include this data in your drop down list, then simply delete the rows from the database, or from the script prior to running it.

Once the data is stored in the database, the only thing left to do is bind it to the dropdownlist.  

Happy coding!

This is part two in a two part series on customizing the ASP.NET CreateUserWizard control.  To read part one, click here.

So far we've gotten the control built and we're able to create a user.  That's great, but for practical uses, we need to get a little bit more information about the user.

We're going to customize the <asp:CreateUserWizard/> control, using ASP.NET Profile provider and gather the users' name and address.  Let's look at the code:

[REMAINDER OF THIS POST WILL BE PUBLISHED SOON] 

UPDATE (6/22/2009): We appologize for the delay in updating this post

After re-evaluating the customizations we needed to perform in order to get the <asp:CreateUserWizard/> control to perform as we required, we have decided to abandon the use of this control for this project altogehter. 

We recognize the extream usefulness of this control in most scenarios, however, our requirements for the control are not currently supported by this control.  In the future we may choose to  post an additional tutorial for customizing the wizard steps involved for this control, and we will link this tutorial with part one.  For now this tutorial is closed. 

Sorry for the inconvenience.

The <asp:CreateUserWizard /> control is another ASP.NET 2.0 feature that allows a web developer to quickly build a user registration form.

There are several ways to customize this control.  The default settings are shown here.  This article will cover how to customize both the opperation and the style of this control. 

 First, let's look at the code used to build this, and the web.config settings:

<asp:CreateUserWizard id="CreateUserWizard1" runat="server">
    <wizardSteps>
        <asp:CreateUserWizardStep id="CreateUserWizardStep1" runat="server">
        </asp:CreateUserWizardStep>
        <asp:CompleteWizardStep id="CompleteWizardStep1" runat="server">
        </asp:CompleteWizardStep>
    </wizardSteps>
</asp:CreateUserWizard> 

<membership defaultProvider="AspNetSqlMembershipProvider">
    <providers>
    <clear />
    <add name="AspNetSqlMembershipProvider"
       connectionStringName="connectionString"
       enablePasswordRetrieval="true"
       enablePasswordReset="true"
       requiresQuestionAndAnswer="true"
       applicationName="XeroOne"
       requiresUniqueEmail="true"
       passwordFormat="Hashed"
       maxInvalidPasswordAttempts="5"
       minRequiredPasswordLength="6"
       minRequiredNonalphanumericCharacters="0"
       passwordAttemptWindow="10"
       passwordStrengthRegularExpression=""
       type="System.Web.Security.SqlMembershipProvider"/>
  </providers>
</membership>

If you're not planning on allowing the user's to reset their own passwords, or to use an "I forgot" function, then you won't need to ask for a security question and answer.  These fields are easily removed by changing the web.config settings.

enablePasswordRetrieval="false"
enablePasswordReset="false"
requiresQuestionAndAnswer="false"

You can also force the users to create a strong password by requiring a specific number of symbols in the password (minRequiredNonalphanumericCharacters), or optionally use a regular expression (passwordStrengthRegularExpression) to specify the user must enter at least one uppercase letter, one number, and one symbol.

Next, let's make this control blend in a little better with our site's theme, and change some of the messages.

<asp:CreateUserWizard id="CreateUserWizard1" runat="server"
         invalidPasswordErrorMessage="Password must be at least 6 characters.">
     <titleTextStyle CssClass="wizardTitle" />
     <labelStyle CssClass="wizardLabel" />
     <continueButtonStyle CssClass="wizardButton" />
     <createUserButtonStyle CssClass="wizardButton" />
     <wizardSteps>
         <asp:CreateUserWizardStep id="CreateUserWizardStep1" runat="server" 
              title="Create a new user account"> 
         </asp:CreateUserWizardStep>
         <asp:CompleteWizardStep ID="CompleteWizardStep1" runat="server">
         </asp:CompleteWizardStep>
    </wizardSteps>
</asp:CreateUserWizard> 

I'm not forcing my users to register a strong password, so telling them they have to enter 0 alphanumeric characters seemed pointless. Use the InvalidPasswordErrorMessage property to change the message displayed to the user when their password doesn't meet your criteria. I also changed the title that instructs the user what they are doing usng the CreateUserWizardStep's Title property.

I'm also using my style sheet to define how to display the title, the label that is next to each textbox, and the create user and continue buttons.  You haven't seen the continue button yet because it is the second step in the create user process.  The options are limitless with CSS, but in this example, I changed the text color, made the title bold, left aligned the label text, and added a background image to my button.

There are plenty of other options that allow you to change the text, messages, and styles of the rest of the control, but these are the ones I find myself changing most often.

Part 2 of this tutorial will go over creating additional fields and using the ASP.NET Profile provider.  

Read Part 2: Customizing the ASP.NET CreateUserWizard Control >

Well we've finally done it. 

It's been on the books for quite a while to implement a public facing blog for posting periodic web development articles, but our customer's priorities always come first.  So like the Shoemaker's son, our own website has gone barefoot.  But not anymore.

We hope to have enough content to be able to post weekly or bi-weekly articles here.  If you use an RSS reader for your news or entertainment, you can subscribe to our feed.  Our articles will cover a wide range of web development topics.  Starting with ASP.NET, C#, and Microsoft SQL Server as the foundation, we'll also talk about HTML & CSS, XML, AJAX, Javascript including tutorials and code samples for the various Javascript Frameworks (Mootools, JQuery, Prototype, Scriptaculous, Ext.JS, etc..), Our review of new web technologies, Rants and Raves about Micosoft products, and anything else we feel about writing about.

Just to give you a taste of what's in the pipeline, here's a brief list of the articles we have slated to write about over the next month:

• Installing ASP.NET Membership functionality
  
• Using ASP.NET Membership for site security
• Triggering ASP.NET postbacks via Javascript routines
• Quickly creating a database driven State selector (ASP.NET Drop Down List)
• Getting started with Sub Sonic DAL Builder
• Creating a fancy UI with Mootoos
• CSS hacks for displaying to different browsers
• Setting up POP & SMTP in Windows Server
• and much more...
  

If you subscribe to our feed you'll automatically be notified when we create a new artcle, otherwise, just check back often!

Thanks for reading