Need help in login authentication using asp.net

Question

Hello all, Simple way i am able to authenticate login page. How can i do that authentication in 3 tier architecture? please somebody send me the code that what should be in DAL,BAL,and GUI layers? Here is my simple code:

Web.config:

<authentication mode="form">
    <form loginurl="Login.aspx">
         <credential password Format="clear">
          <user name="abcd" password="1234">
        </credential>
      </authentication>
     </form>
   <authorization>
     <deny users="?">
   </authorization>

login.aspx.cs:

   sqlconnection con=new sqlconnection("server=localhost;database=dbname;uid=;pwd=;Trusted_Connection=true");
sqldataAdapter da=new sqldataAdapter("select * from Login where UserName='"+TextBox1.Text+"' and Password='"+TextBox2.Text+"'",con);
Dataset ds=new Dataset();
da.Fill(ds);

if(ds.Tables[0].rows.Count>0)
{
   if(FormAuthentication.Authenticate("abcd","1234")
   {
        FormAuthentication.RedirectFromLoginPage(TextBox1.Text,false);
        Response.write("Logged in");
    }
    else
    {
        Response.write("Unautherised User");
    }

   Response.Redirect("welcome.aspx");
}
else
{
  Response.write("Sorry Invalid UserName or Password");
}

Answer 1

In general you should have at least the following classes:

• In DAL you should have a Class that hands of database connections
• In BAl you should have a Class that represents every user instance. This class should have a method called login() where all the authentication and authorization takes place.
• A web form representing the user interface.

Also, to prevent SQL injections never concatenate query strings. Use parameters instead.

Here are some example classes:

namespace DAL
{
    public class ConnectionManager
    {
        public static SqlConnection GetConnection() {
            SqlConnection cn = new SqlConnection("server=localhost;database=dbname;uid=;pwd=;Trusted_Connection=true");
            cn.Open();
            return cn;
        }
    }
}

namespace BAL
{
    public class User
    {
        public string UserName { get; set; }
        public string Password { private get; set; }

        public bool Login() {
            return Login(this.UserName, this.Password);
        }

        public bool Login(string user, string password) {
            bool success=false;
            using (SqlConnection cn = ConnectionManager.GetConnection())
            {
                string sql = "select count(*) from Login where UserName=@user and Password=@password";
                using (SqlCommand command = new SqlCommand(sql, cn))
                {
                    command.Parameters["@user"].Value = user;
                    command.Parameters["@password"].Value = password;
                    success = (int)command.ExecuteScalar() > 0;
                }
                cn.Close();
            }
            return success;
        }
    }
}

Answer 2

Slightly at a loss as to why you would want to reinvent the wheel? ASP.NET Membership provider does this all for you, and if you need to heavily modify its behaviour, its open source, easy to read, understand and change. It can be integrated easily with your own n-tier architecture - we do this all the time.