Development and Programming
C# and .NET
Understanding ASP.NET Authentication
Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity.
Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource.
ASP.NET implements authentication through authentication providers, the code modules that contain the code necessary to authenticate the requestor's credentials. The topics in this section describe the authentication providers built into ASP.NET.
Windows Authentication Provider
Provides information on how to use Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication to secure ASP.NET applications.
Forms Authentication Provider
Provides information on how to create an application-specific login form and perform authentication using your own code. A convenient way to work with forms authentication is to use ASP.NET membership and ASP.NET login controls, which together provide a way to collect user credentials, authenticate them, and manage them, using little or no code.
Forms authentication enables you to authenticate the user name and password of your users using a login form that you create. Unauthenticated requests are redirected to a login page, where the user provides credentials and submits the form. If the application authenticates the request, the system issues a ticket (authentication token) that contains a key for reestablishing the identity for subsequent requests. You can maintain the authentication token in a cookie or in the page URL.
To use forms authentication, you create a login page that collects credentials from the user and that includes code to authenticate the credentials. Typically you configure the application by using the authentication configuration element in the web.config file to redirect requests to the login page when users try to access a protected resource, such as a page that requires authentication.
By default, ASP.NET applications use Windows authentication. To change the authentication type to forms authentication, then, we need to modify the <authentication> element’s mode attribute to Forms. The <authentication> element will include a <forms> child element that contains forms authentication-specific settings.
The following table describe attributes:
Defines whether cookies are used and their behavior.
This attribute can be one of the following values.
This attribute is new in the .NET Framework version 2.0.
The default is UseDeviceProfile.
Defines the default URL that is used for redirection after authentication.
The default is "default.aspx".
Specifies an optional domain to set on outgoing forms-authentication cookies. This setting takes precedence over the domain that is used in the httpCookies element.
The default is an empty string ("").
Indicates whether authenticated users are redirected to URLs in other Web applications.
The default is False.
Specifies the URL to which the request is redirected for logon, if no valid authentication cookie is found.
The default is login.aspx.
Specifies the HTTP cookie to use for authentication. This sets the suffix for the name of the cookie that contains the authentication ticket.
If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each Web.config file for each application.
The default is ".ASPXAUTH".
Specifies the path for cookies that are issued by the application.
The default is a slash (/), because most browsers are case-sensitive and will not send cookies back, if there is a path case mismatch.
Specifies the type of encryption, if any, to use for cookies.
The default is All.
Specifies whether an SSL connection is required to transmit the authentication cookie.
Specifies whether sliding expiration is enabled. Sliding expiration resets the active authentication time for a cookie to expire upon each request during a single session.
The default is True.
Specifies whether to use Coordinated Universal Time (UTC) or local time for the ticket expiration date for forms authentication.
This attribute can HAVE one of the following values.
The default value is Framework20.
Specifies the time, in integer minutes, after which the cookie expires. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time that the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half of the specified time has elapsed. This might cause a loss of precision.
The default is "30" (30 minutes).
The flow of control for ASP.NET forms authentication is shown in the following table.
Browser and HTTP operation
Requests a protected resource from a server. The HTTP operation is:
If there is no authentication cookie, redirects the request to a logon page to collect credentials. Information about the originating page is placed in the query string using RETURNURL as the key. The server HTTP reply is:
Follows the redirection to the logon page. The HTTP operation is:
Returns the logon page. For security, we recommend that you use Secure Sockets Layer (SSL) for the logon page to keep the user's credentials from being sent in clear text. The server HTTP reply is:
After user enters credentials into the logon page, submits the page. The HTTP operation is:
Validates user credentials and, if the credentials are authenticated, redirects the browser to the original URL specified in the QueryString as the RETURNURL variable. By default, the authentication ticket is issued as a cookie.
You can specify that the authentication ticket be included in the URL instead of a cookie using the CookieMode property.
The server HTTP reply is:
Follows the redirection and requests the original resource again. The HTTP operation is:
If the user is authenticated, grants access and grants the authentication cookie, which contains an authentication ticket. Future requests by the same browser session will be authenticated when the FormsAuthenticationModule module inspects the cookie. It is possible to create a persistent cookie that can be used for future sessions, but only until the cookie's expiration date. The server HTTP reply is:
Note that the cookie path is set to /. Because cookie names are case-sensitive, this prevents inconsistent case in URLs on the site. For example, if the path were set to /SavingsPlan and a link contained /savingsplan, the user would be forced to re-authenticate because the browser would not send the cookie.
The following figure and steps shows the sequence of events that occur during forms authentication.
302 Found Location:
In ASP.NET, the validation of user credentials can be performed by the membership system. The Membership class provides the ValidateUser method for this purpose as shown here:
if (Membership.ValidateUser(userName.Text, password.Text))
if (Request.QueryString["ReturnUrl"] != null)
Response.Write("Invalid UserID and Password");
302 Found Location:
© 2019 Digcode.com. All rights reserved.