When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Stump the SQL Guru!
XML Info
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Wednesday, October 31, 2001

Using Forms Authentication in ASP.NET, Part 2

By Darren Neimke

  • Read Part 1

  • - continued -

    In Part 1 we discussed what forms authentication is and how various authentication providers can be specified to be used in ASP.NET by a simple Web.config setting. In this part we'll delve into the specifics of using and configuring the forms authentication provider.

    Configuring Forms Authentication
    When Forms Authentication is chosen, additional authentication attributes may be configured in the Web.config file. Firstly, you need to provide a loginUrl. This is the location of your Login form and to which any unauthenticated requests for protected resources will be automatically redirected. You can also optionally specify the name of the Authentication cookie used (if no name is specified the default is .ASPXAUTH). (There are other options available as well - for more information check out the Forms Authentication Technical Documentation!)

    ' web.config file
            <authentication mode= "Forms">
                <forms name=".ASPXAUTH" loginUrl="MyLoginForm.aspx" />

    As you can see in the above example we have specified that our Application will be using Forms Authentication, and then on the following line we have set some of the actual properties of the Forms Provider. The most important property, loginUrl, is the URL that .NET will forward any unauthenticated requests for a protected resource.

    Note: ASP.NET uses url 'munging' (rewriting), to allow session state to be maintained without the use of cookies but it does not provide support for cookieless FormsAuthentication. The developer of the Web application has to write code to do it.

    The Authentication Process
    Once the Forms Authentication Provider is configured, all unauthenticated requests for protected resources will be redirected to the loginUrl using client-side redirection. This is confirmed by the Application checking for a cookie attached to the Request. If no cookie is present the redirect takes place and a ReturnURL appended to the querystring. For example, if we setup our loginUrl to /MyLoginForm.aspx and then attempted to access a protected resource at /SomeProtectedResource.aspx, the Forms Authentication setup would automatically redirect us to the following URL:

    Protecting a Resource
    As I mentioned previously, an ASP.NET Application can have multiple Web.config files. Using these multiple Web.config files is a good way to configure Security Permissions on an entire directory. Assuming that you want to restrict access to unauthenticated users for all files under a particular directory, you'd simply need to create a Web.config in that directory and specify it to deny unauthenticated Users by configuring the Authorization section in the following manner.

    <?xml version="1.0" encoding="utf-8" ?>
            <deny users="?" />

    Now, as soon as a user requests a page in that directory, ASP.NET will check the Request for the Authentication Cookie and if it does not exist the user will be taken to the loginUrl to be authenticated. (Recall that the only way the user will have an authentication cookie is if they have already successfully logged in.)

    Once validation and authentication have taken place the user can simply be returned to the resource that was initially requested by calling the RedirectFromLoginPage() static method of the FormsAuthentication Provider which redirects, based on the contents of the ReturnURL key in the query string, or redirects to Default.aspx if the return key does not exist. Furthermore, a Cookie is written to the client's computer to indicate that they have logged in. Hence, in your specified loginUrl page, you will need to provide a form for the user to enter their username/password (or whatever credentials you want them to supply), and then validate their information against a database (or text file, or however you store user authentication information). If the user is a valid user, you need to simply call the RedirectFromLoginPage() method. Making that single method call will automatically redirect them to the page they were attempting to access and set the authentication cookie... it's really as simple as that, no extra code required!

    In the next section we'll examine a number of ways to authenticate a user, and look at an example login page.

    Methods of Authenticating
    As aforementioned, there are a number of ways you could authenticate a user. You could store their user credentials in a database, in an XML file, or have their information hard coded in the login page. We'll examine how to use a database as well as how to have user credentials hard coded in the Web.config file.

    Authenticating Using a Database
    One benefit of FormsAuthentication is that it allows you to authenticate a user against a custom database of user credentials. For example, you may create a database table that has a Username and Password column, representing the credentials for those who wish to use your site. Imagine that you had a stored procedure that you could pass a Username and Password to and it would return a 1 if the user was found (and the password was correct) and a 0 otherwise. In such a scenario, you could write the following login page (whose URL you'd want to specify as the loginUrl property in your Web.config file).

    <script language="vb" runat="server">
    Sub Submit_OnClick(sender as Object, e as EventArgs)
      If MyCustomMethod (txtUserName.Text, txtPassword.Text) Then    
          FormsAuthentication.RedirectFromLoginPage (txtUserName.Text, False)
          ' Invalid credentials supplied, display message
          lblMessage.Text = "Invalid login credentials"
      End If
    End Sub
    Function MyCustomMethod (ByVal strUsername As String, _
                            ByVal strPassword As String) As Boolean
        ' Open DB
        ' Run sproc that returns UserID
        ' Return True if UserID found else False
    End Function                        
    <form runat="server">
      Username: <asp:textbox id="txtUserName" runat="server" /><br />
      Password: <asp:textbox id="txtPassword" runat="server" TextMode="Password" />
      <p><asp:button id="btnSubmit" OnClick="Submit_OnClick"
                          Text="Login" runat="server" />

    Note that in the above example we pass in two parameters to the RedirectFromLoginPage() method. The first parameter uniquely identifies the user so that, on other pages, we can easily determine who this visitor is; the second parameter is a boolean value that indicates if we want to persist the user's authentication cookie across multiple site visits. We'll explore both of these properties further on in the article!

    In Part 3 we'll examine how to store the user credentials in the Web.config file. We'll also wrap up the article by answering some common questions that arise when using forms authentication in ASP.NET.

  • Read Part 3!

  • ASP.NET [1.x] [2.0] | ASPFAQs.com | Advertise | Feedback | Author an Article