Site security via user profiles in ASP.NET websites

Quickly and easily to define, store, retrieve user profile information for site.

Configured within web.config.

Steps to setup user profile:

• Configure user profile provider - use to store and retrieve user profile info from database, Default provider for SQL present, can create own custom profile providers
• Define user profile - set up fields to tack for user profile via web.config. These fields used by ASP.NET to store data and return it via strongly typed class
• Uniquely identify users - can identify both anonymous and authenticated users, Use a unique value to return a users profile from storage
• Set and save user profile - provide a means for users to set their profile information
• Recognise returning visitors - When users returns to site retrieve their profile as strongly typed class. Use this information to set customisations, pre-fill data fields, etc.

Configuring User Profile Provider

Store and retrieve user profiles in database via a provider class.

ASP.NET provides default provider - System.Web.Profile.SqlProfileProvider

By default uses configuration settings in machine.config.

These are (by default) set up to use SQL Server Express installation on local machine.

By default the personalisation database is stored in the App_Data folder for site - in the files ASPNETDB.mdf and ASPNETDB_log.ldf

Configuring New Profile Database

For development purposes can usually use default settings.

To move to SQL server first generate schema on database server - can use the Aspnet_regsql tool found in the Microsoft.NET\Framework%version% folder.

Tool not limited to creating profile table, can also define role, membership and Web Part tables.

Launching tool without arguments forces user to walk through configuration wizard.

Define User Profile

Define profile by determining individual fields, e.g. name, date of last visit, colour settings, etc. to be tracked for each user on site.

Defined within web.config profile section:

<system.web>

    <profile>
    
        <properties>
        
            <add name="FirstName" />
            
            <add name="LastVisit" type="System.DateTime />
        
        </properties>
    
    </profile>

</system.web>

Anonymous User Profiles

By default profiles enabled only for authenticated users.

Can enable for anonymous users by adding allowAnonymous="true" attribute to the properties, e.g. <add name="LastVisit"allowAnonymous="true" type="System.DateTime />

ASP.NET will create unique identification for each user when first visits site, stored in browser cookies.

If cookies not enabled then identifier added to URL of page request.

Profile Property Groups

Can place properties into groups, can then access through profile class as encapsulated data, e.g. Profile.Address.Street.

<profile>

    <properties>
    
        <group name="Address">
        
            <add name="Street" />
            
            <add name="City" />
        
        </group>
    
    </properties>

</profile>

Custom Profile Property types

Can use own custom classes as profile properties.

Custom class must be serializable.

<system.web>

    <profile>
    
        <properties>
        
            <add name="Pos" type="MyApp.OrgPosition" serializeAs="Binary"/>
        
        </properties>
    
    </profile>

</system.web>

Identify Users

If site implements user authentication then profiles automatically enabled.

If only anonymous users need to add anonymousIdentification to system.web element of web.config. Ensure its enabled attribute is set to true.

Migrating Anonymous User Profiles

If enable anonymous user profiles but allow user to create authentication credentials then ASP.NET will create new profile for user.

May want to migrate settings from their anonymous profile.

Do this by responding to MigrateAnonymous event raised when user logs into site:

public void Profile_OnMigrateAnonymous(object sender ProfileMigrateEventArgs args)
{
    ProfileCommon annonProfile = Profile.GetPRofile(args.AnonymousID);
    Profile.StockSymbols = annonProfile.StockSymbols;
    ProfileManager.DeleteProfile(args.AnonymousID);
    SnonymousIdentificationModule.ClearAnonymousIdentifier();
}

Saving User Profile

Set values of individual Profile properties then call Profile.Save().

Set profile information in response to user actions, e.g. setting their preferred colour.

Mau allow user to set Profile information via a web page.

Recognising Returning Visitor

Profile based on user identification.

If allow anonymous authentication then this is passed as cookie setting.

Otherwise happens at time of user authorisation.

By accessing profile property ASP.NET will perform necessary actions to identify user and lookup value from persistent profile store.