We're going to restrict access to the quotations site so that only registered users can add quotations to the database, and only administrators can edit or delete quotes.
To prepare the database on your development machine for managing membership and roles is very simple. Launch a page on your web site and click the Login button. Either attempt to log in or complete the registration wizard and the membership database will be created automatically. It will be in the App_Data folder and called ASPNETDB.
Configuring Membership and Role Providers
Open the Web.config file for your site and find the membership provider section. Take note of the properties defined there. Make changes if you want, such as allowing weaker passwords than the defaults (just to make it easier for testing). Remove the requirement for entering an email address from the create user wizard (unless you plan to support email for your site).
Have a look in the Account folder. Notice that there are several membership related pages provided in an ASP.NET web site. Open the Web.config file in the Account folder. Notice the access restrictions for the pages in the Account folder defined here.
Finish Configuration
Launch the Website Administration Tool to complete the rest of the configure for the site. Open the Security tab. It will now be possible to manage roles, users, access rules, etc.
Create two roles, user and admin. Then create a user (for yourself) having both user and admin roles.
Configure the create user wizard so that it adds newly registered members to the users role.
Begin by adding a LoginView control to the main quotations page. Put the Add a Quote button in the LoggedInTemplate of the control. This will have the effect of hiding the button unless the user is logged in. While it is good practice to not display components that are not applicable to the user, this does not add any additional security. Try to access the add-quote page by entering its URL in a browser window to verify.
One usability problem with the current set up is that there is no way for users to know that it is necessary to log in to add a quote. Add a message to the main quotations page to inform users that login/registration will allow them to add quotes.
Create a new folder in your project to contain pages that are to be accessed by logged in users only. Drag the add-quote.aspx file into this folder. You'll need to edit the Add a Quote button on the main page to use the right link to the moved file. Change any other links as needed.
Add a Web.config to the new folder and configure it to only allow access to authenticated users.
For this exercise, only admin users will be authorized to edit and delete quotations.
Create another new folder in your project and add a page for editing and deleting quotes. Restrict access to this folder to admin users only. Configure a FormView control on the page. Enable paging so that the user can page through the quotations, to edit or delete as appropriate. Remove the ability to add a quote, since this is already available elsewhere. Include a link on this page to go back to the main quotations page. Make it easier on the user by having a drop down list with categories to choose from when editing quotes.
Add an Edit Quotes link to the main page that is only visible if the user is logged in as an admin. Use the LoginView control to do this.
Setting up user management on the server
Once everything is running correctly on your local computer, publish the membership database to the remote server with the instructions given here.
Modify the connection string in Web.config to use your database on the server before uploading it to the server.
Secure login
After all this, the passwords are still sent to the server in the clear. In order to safely send them, they must be encrypted. This requires using SSL (Secure Sockets Layer), which is installed on the indra server. To switch over to a secure connection, put something like this in the Page_Load method of the Login page (substitute your login ID and path):
if (!Request.IsSecureConnection)
{
Response.Redirect("https://indra.stockton.edu/projects/myid/mypath/Login.aspx"
+ Request.Url.Query);
}
Set up an admin account for your instructor to access the admin pages
Clean up the main page, tabs, etc. so that its easy to access all of the necessary pages. Include hiding pages and links when user is not logged in or a member of certain roles.
Extras
Add personalization to the site. Give the user the option to provide additional information such as name, age, etc. during the registration process.
Add a page for administrators to get statistics about the site, such as the number of quotes in each category, number of quotes by each author. On this page also report the number of quotations added by each user or possibly include a list of quotes by each user. This will require adding a table to the database to keep track of the quotations added by each user. Incluse any other information that might seem useful to a site administrator.