Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity.
Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource.
ASP.NET implements authentication through authentication providers, the code modules that contain the code necessary to authenticate the requestor's credentials. The topics in this section describe the authentication providers built into ASP.NET.
Windows Authentication Provider
Provides information on how to use Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication to secure ASP.NET applications.
Forms Authentication Provider
Provides information on how to create an application-specific login form and perform authentication using your own code. A convenient way to work with forms authentication is to use ASP.NET membership and ASP.NET login controls, which together provide a way to collect user credentials, authenticate them, and manage them, using little or no code.
Forms authentication enables you to authenticate the user name and password of your users using a login form that you create. Unauthenticated requests are redirected to a login page, where the user provides credentials and submits the form. If the application authenticates the request, the system issues a ticket (authentication token) that contains a key for reestablishing the identity for subsequent requests. You can maintain the authentication token in a cookie or in the page URL.
To use forms authentication, you create a login page that collects credentials from the user and that includes code to authenticate the credentials. Typically you configure the application by using the authentication configuration element(<authentication>) in the web.config file to redirect requests to the login page when users try to access a protected resource, such as a page that requires authentication.
By default, ASP.NET applications use Windows authentication. To change the authentication type to forms authentication, then, we need to modify the <authentication> element’s mode attribute to Forms. The <authentication> element will include a <forms> child element that contains forms authentication-specific settings.
The following table describe attributes:
Defines whether cookies are used and their behavior.
This attribute can be one of the following values.
UseCookies: Specifies that cookies will always be used, regardless of the device.
UseUri: Specifies that cookies will never be used.
UseDeviceProfile: Specifies that cookies are used, if the browser supports cookies; otherwise, cookies are not used. For devices that support cookies, no attempt is made to probe to determine whether cookie support is enabled.
This attribute is new in the .NET Framework version 2.0.
The default is UseDeviceProfile.
Defines the default URL that is used for redirection after authentication.
The default is "default.aspx".
Specifies an optional domain to set on outgoing forms-authentication cookies. This setting takes precedence over the domain that is used in the httpCookies element.
The default is an empty string ("").
Indicates whether authenticated users are redirected to URLs in other Web applications.
True: Specifies that authenticated users can be redirected to URLs in other Web applications.
False: Specifies that authenticated users cannot be redirected to URLs in other Web applications.
The default is False.
Specifies the URL to which the request is redirected for logon, if no valid authentication cookie is found.
The default is login.aspx.
Specifies the HTTP cookie to use for authentication. This sets the suffix for the name of the cookie that contains the authentication ticket.
If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each Web.config file for each application.
The default is ".ASPXAUTH".
Specifies the path for cookies that are issued by the application.
The default is a slash (/), because most browsers are case-sensitive and will not send cookies back, if there is a path case mismatch.
Specifies the type of encryption, if any, to use for cookies.
All: Specifies that the application uses both data validation and encryption to help protect the cookie. This option uses the configured data validation algorithm, which is based on the machineKey element. Triple-DES (3DES) is used for encryption, if it is available and if the key is long enough (48 bytes or more). All is the default, and recommended, value.
Encryption: Specifies that the cookie is encrypted by using 3DES or DES, but data validation is not performed on the cookie. Cookies used in this manner might be subject to chosen plain-text attacks.
Validation: Specifies that a validation scheme verifies that the contents of an encrypted cookie have not been changed in transit. The cookie is created by using cookie validation by concatenating a validation key with the cookie data, computing a message authentication code (MAC), and appending the MAC to the outgoing cookie.
The default is All.
Specifies whether an SSL connection is required to transmit the authentication cookie.
True: Specifies that an SSL connection is required to help protect the user's credentials. If True, ASP.NET sets the Secure property for the authentication cookie and a compliant browser does not return the cookie, unless the connection is using SSL.
False: Specifies that an SSL connection is not required to transmit the cookie. The default is False.
Specifies whether sliding expiration is enabled. Sliding expiration resets the active authentication time for a cookie to expire upon each request during a single session.
True: Specifies that sliding expiration is enabled. The authentication cookie is refreshed and the time to expiration is reset on subsequent requests during a single session.
False: Specifies that sliding expiration is not enabled and the cookie expires at a set interval from the time the cookie was originally issued.
The default is True.
Specifies whether to use Coordinated Universal Time (UTC) or local time for the ticket expiration date for forms authentication.
This attribute can HAVE one of the following values.
Framework20: Specifies that the ticket expiration date is stored using local time.
Framework40: Specifies that the ticket expiration date is stored using UTC.
The default value is Framework20.
Specifies the time, in integer minutes, after which the cookie expires. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time that the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed. This might cause a loss of precision.
The default is "30" (30 minutes).
The flow of control for ASP.NET forms authentication is shown in the following table.
Browser and HTTP operation
Requests a protected resource from a server. The HTTP operation is:
If there is no authentication cookie, redirects the request to a logon page to collect credentials. Information about the originating page is placed in the query string using RETURNURL as the key. The server HTTP reply is:
Follows the redirection to the logon page. The HTTP operation is:
Returns the logon page. For security, we recommend that you use Secure Sockets Layer (SSL) for the logon page to keep the user's credentials from being sent in clear text. The server HTTP reply is:
After user enters credentials into the logon page, submits the page. The HTTP operation is:
Validates user credentials and, if the credentials are authenticated, redirects the browser to the original URL specified in the QueryString as the RETURNURL variable. By default, the authentication ticket is issued as a cookie.
You can specify that the authentication ticket be included in the URL instead of a cookie using the CookieMode property.
The server HTTP reply is:
Follows the redirection and requests the original resource again. The HTTP operation is:
If the user is authenticated, grants access and grants the authentication cookie, which contains an authentication ticket. Future requests by the same browser session will be authenticated when the FormsAuthenticationModule module inspects the cookie. It is possible to create a persistent cookie that can be used for future sessions, but only until the cookie's expiration date. The server HTTP reply is:
Note that the cookie path is set to /. Because cookie names are case-sensitive, this prevents inconsistent case in URLs on the site. For example, if the path were set to /SavingsPlan and a link contained /savingsplan, the user would be forced to re-authenticate because the browser would not send the cookie.
The following figure and steps shows the sequence of events that occur during forms authentication.
302 Found Location:
In ASP.NET, the validation of user credentials can be performed by the membership system. The Membership class provides the ValidateUser method for this purpose as shown here:
if (Membership.ValidateUser(userName.Text, password.Text))
//Maintain the authentication token in a cookie
if (Request.QueryString["ReturnUrl"] != null)
Response.Write("Invalid UserID and Password");
302 Found Location:
© 2023 Digcode.com