SharePoint 2007 and MOSS 2007 are built on ASP.Net 2.0 which means they can leverage many of the same features of ASP.Net 2.0 including the AspNetSqlMembershipProvider for use with Forms Based Authentication. While the ability to use the SQL based authentication exists in SharePoint, the other features like user registration and password recovery are not available. So having some time on my hands I decided to create a custom web part for FBA sites to allow users to login, register, and recover their password.
One thing I noticed while developing this web part for my own use is that the functionality of the standard ASP.Net controls wasn't really sufficient. In particular I have added the following functionality:
- 1. Made UserName and Password field prompts web part properties
- 2. Added option to request user's First Name and Last Name when they are registering
- 3. Added option to request user's Company Name when registering
- 4. Added basic CAPTCHA functionality to avoid robot registrations
- 5. Added functionality to automatically add the new user to a Site group specified by the administrator
- 6. Added functionality to update the User Information List with the name and company info entered during registration.
To get started you first have to set up your site to use Forms based authentication. Rather than rehash how to do that here, I'll provide a couple of links with the steps required.
Channel 9: http://channel9.msdn.com/ShowPost.aspx?PostID=299338
SharePoint Team Blog: http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx
Once you have your site ready for Forms based authentication, you need to install the solution containing the web part and the CAPTCHA handler. You can do this using the setup.bat command file located in the bin\Debug directory for the project.
Once the features are installed, you'll need to modify the web.config for the root site to add the assembly containing the utility methods used by both the web part and the CAPTCHA handler.
<compilation batch="false" debug="false">
<add assembly="BallardSoftware.SharePoint.FBA, Version=126.96.36.199, Culture=neutral, PublicKeyToken=ac0a223a1bb0e47c" />
Next you'll need to check to make sure the CAPTCHA feature is enabled. To do this go to Site Settings->Site Features. You should see the screen below:
NOTE: In order to upload the .ASHX file to your site, you may have to go to Central Administration and temporarily remove the .ASHX extension from the list of blocked file types.
Now that the wiring is complete, you can add the Login/Registration web part to any page. I'm using a basic team site template and so to add a web part, click on Site Actions->Edit Page. Then click on Add a Web Part in any zone. This will bring up the following window. Scroll down to the Miscellaneous section and you'll find the Login/Registration part.
After you click on Add, you'll see the web part displayed in the zone you selected... or actually not. Nothing is displayed in the web part at this time because you are currently authenticated and therefore don't need to login or register.
The next step you'll want to take is to set the options for the web part. To do this click on Edit on the top right of the web part and choose "Modify Shared Web Part". This will bring up the tool pane on the right as shown below.
The first field is the group that new registrants should be added to. The list is created from the groups currently defined for this web. You'll notice at the bottom of the tool pane are three collapsed sections. These are "All", "Login", and "Registration". Each section contains options for that particular functionality.
The All section contains two text fields to allow you to set the prompt to be used for the UserName and Password fields regardless of which "mode" it is in. The default is "User Name:" and "Password:". If you prefer your users to use an email address as their user name you can change the prompt here.
The Login section contains options for whether to allow the user to register themselves or ask for password resets. If you only want to use the web part for logins, you can uncheck these boxes and the user will not be presented with the option to register or reset their password. The buttons if shown, are added by the web part and given specific CSS definitions to allow you to change their alignment, style, etc. The classes used are "fbaLogin", "fbaLogin-regButton", and "fbaLogin-resetBtn".
The registration section contains a text field to allow you to specify a prompt to display above the registration section. The default is "Sign Up For Your New Account". Also in this section are checkboxes to allow you to specify if you want the user to enter their first and last names and/or their company name. Note that if you check these options, those fields become required. Also note that "Company Name" is not a default field in the User Information List so if you want to use it you have to add it to the list manually with the name set to "Company Name".
Also shown is a checkbox that allows you to specify if you want to use the CAPTCHA feature for new registrations. You can find out more information on CAPTCHA here. This is a basic line of defense against automated registrations.
Click on "OK" and you're ready to go. Now sign out and you'll see the Login/Registration part is displayed like this:
The "Remember me next time" option will work for the user by saving a cookie that will automatically authenticate them to the site at their next visit. If the user clicks on the "Register" button, the web part changes to display as shown below:
Note that all fields are required and the password policy used is the one set in your web.config (or default if one is not set). When the user enters the data correctly and clicks on "Create User" the user is created in the SQL database, then their information is updated in the User Information List (if it exists on that site) and the user is added to the group specified on the tool pane. There are some tricks involved with making all of this happen but I'll go into that in another post or you can just look at the source code and see how it's done.
If from the login mode the user clicks on the "Reset Password" button the web part changes to display as shown.
The user can enter their username and then the security questions appear. If the user enters them correctly a new password will be emailed to them. Note that in order for the email to be sent (and an error not be displayed) you must have configured the SMTP server in the web.config. Here is an example.
<network host="v-win2k3" port="25" />
I'm sure that there are dozens of other features that can be added to this web part. In particular, the next step is to create a means of managing users after they have registered themselves. You can use the People and Groups to add and remove them from the site collection but they will still exist in the authentication database. Rather than wait for that funcationlity though, I wanted to make this available now for those of you who may find it useful.These files are no longer available for download. Please see the latest code at http://www.codeplex.com/CKS for the latest in Forms Based Authentication for SharePoint 2007.