Hi Jason, You may need to think about your architecture...
Usually you would have a table in a database for users. In this table could
be a field to say whether they are allowed to login (active, suspended,
banned etc) and another one to say what roles (or permissions) they have on
the site (you would use this information to determine whether the user can
contribute / edit content or have access to some or all of the administration
screens for instance) .
In fact the permissions would often be in a seperate table joined on by
PrimaryKey - ForeignKey relationship. This allows one user to be a member of
many roles, which means the roles can be finer tuned (e.g to allow access to
one admin panel instead of all admin panels).
I would suggest you start with...
when the user registers (asks for an account) let them choose a password at
this point. Store their details in the database but set the AllowedToLogin
field to false.
Your application then sends you an email saying somebody has requested an
account.
You then receive the email and go to a page in your application that lists
new user requests and from here you set the user to allowed to login (And
update the database) or ignore their request.
If you accept their request, the application sends them an email confirming
that they have been accepted and can log in - and they already know their
password.
Alternatively your app could autogenerate a password for them and this could
be included in the email you send them. Though it would make sense to then
allow them to login and change their password to something they can remember.
Look at FormsAuthentication in the MSDN Library to find out how ASP.Net
authenticates users (checks that they are logged in). Its very simple to set
up and can be extended if required.
Another thing worth noting: It is more secure if you do not store the raw
password in the database. If you hash it first (which you can do with the
formsauthentication object or with the cryptography objects) and store the
hash in the database. then when the user types their password you hash that
and then compare the hashes. This means if somebody gets access to the
database table they cannot work out what the raw password is... though it
could be argued that the horse is well out of view by then...
HTH jd
""jason via DotNetMonster.com"" wrote:
london
yupe i also did figure about this security matter~
so now i thought of something...`
when user fill in 2 textbox from a page then then click a button.... then
function of the button is to send me email..~ so when i receive that email,
there will display back wat they have written (how can i do this.. ? sorri
coz i am new in .net ) and then there will be a link... the link will
redirect me to another page where onli admin can get acces to it.. (will
require password - this one i know how to do it)
then onli admin will accept or reject... but how would the admin accept or
reject? it means.. wat the user key in earlier will be displayed in the email
AND then display it in the new form right? so how can we do this?can we get
the text from the email and then put it back to the text in the admin page?
ai...~ totally have no idea on how to do?:S
so will have to please teach me step by step to do it..~ so that i can learn
more...~
so this matter will be much more secure right? if the user suddenly get the
link but for sure without password he or she kenot get in to the admin page ?
then in the admin page, when admin accept the user... and save to database
(access) just a button to be click right? the process will be ... ? and then
email will be sent back to the user...~
so how can i get the user email AUTOMATICALLY from the earliest page or the
email?
huh.. quite troublesome? thanks for answering..~ but really in need your help
/. thanbks..~
london calling wrote:Hi Jason, Following up on Karl's post, it would be unusual to activate
accounts directly from an email, as this would imply that all you had to do
would be to create a POST or GET to the server to activate the new account.
In response to the Html Email part of the question: Creating one is very
simple
look at the System.Web.Mail namespace
e.g
'typically you only need to set the mail server once
Web.Mail.SmtpMail.SmtpServer = "My SMTP Server"
Dim m As New System.Web.Mail.MailMessage
With m
.To = myRecipientEmailAddress
.From = myEmailAddress
.Subject = myMessageSubject
.BodyFormat = Mail.MailFormat.Html
.Body = myHtmlEmailString
End With
Web.Mail.SmtpMail.Send(m)
If you want to send images embedded into the email it gets slightly more
complicated but can be done with MailAttachment objects and UrlContent* params
Note that the native .Net mail components do not allow for authentication
with an smtp server which in some cases may make it unworkable and you may
need to look at 3rd party components. If it's your own smtp server (e.g IIS)
you can allow anonymous users but make sure you lock down the IP addresses
that the smtp server will send/relay messages for otherwise you're inviting
every spammer to do their "work" through your equipment.
HTH jd
Typically the way it would be done is to have it send you a notification
email...you then log into the application where you accept/decline the new
[quoted text clipped - 58 lines] >
> regards... jason
--
Message posted via DotNetMonster.com
http://www.dotnetmonster.com/Uwe/For...p-net/200507/1