Forms Authentication

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="login.aspx" protection="All" timeout="30">
        <credentials passwordFormat="Clear">
          <user name="devhood" password="password"/>
          <user name="someguy" password="password"/>
        </credentials>
      </forms>
    </authentication>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>

  <location path="admin/">
    <system.web>
      <authorization>
        <allow users="devhood" />
        <deny users="someguy" />
      </authorization>
    </system.web>
  </location>
  <location path="usersonly/">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="public/">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

<html>
<head>
    <title>Login</title>
    <script language="C#" runat="server">
        
        void Login_Click(Object sender, EventArgs e) {
            if (FormsAuthentication.Authenticate(username.Text, password.Text))
                FormsAuthentication.RedirectFromLoginPage(username.Text, true);
            else
                status.InnerHtml += "Invalid Login";
        }
        
    </script>
</head>
<body>
    <p class=title>Login</p> 
    <span id="status" class="text" runat="Server"/>
    <form runat="server">
    Username: <asp:textbox id=username cssclass="text" runat="Server"/><br />
    Password: <asp:textbox id=password textmode=Password cssclass="text" runat="Server"/><br />
    <asp:button id=login_button onclick="Login_Click" text="  Login  " cssclass="button" runat="Server"/>
    </form>
</body>
</html>

void Login_Click(Object sender, EventArgs e) {
    String sHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(password.Text,"MD5");
    String sqlStmt = "Select username from Users where username='" + UserName.Text + "' and password='" + sHashedPassword + "'";
    SqlConnection sqlConn = new SqlConnection("server=localhost;uid=sa;pwd=password;database=master;");
    SqlCommand sqlCmd = new SqlCommand(sqlStmt, sqlConn);
    sqlCmd.Connection.Open();
    SqlDataReader sqlReader = sqlCmd.ExecuteReader(CommandBehavior.CloseConnection);

    if (sqlReader.Read())
        FormsAuthentication.RedirectFromLoginPage(username.Text, true);
    else
        status.InnerHtml += "Invalid Login";
}