When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles [1.x] [2.0]
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips
Search

Sections:
Book Reviews
Sample Chapters
Commonly Asked Message Board Questions
Headlines from ASPWire.com
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
Web Hosts
XML Info
Information:
Advertise
Feedback
Author an Article
Technology Jobs

















internet.com
IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers
ASP ASP.NET ASP FAQs Message Board Feedback ASP Jobs
Print this page.

Windows Systems Administrator
Jupitermedia
US-CT-Darien

Justtechjobs.com Post A Job | Post A Resume

Published: Wednesday, October 31, 2001

Using Forms Authentication in ASP.NET
By Darren Neimke

For More Information...
For more information on forms-based authentication in ASP.NET be sure to read this article's follow-up articles: Also check out the User Authentication section here on 4Guys.

Introduction
Many Web sites today behave more like distributed applications than mere content providers. We're all likely familiar with some sort of Web site that has user accounts, be it an eCommerce application like Amazon.com, or a game site where you can log on and play against other Netizens. The process of determining who, exactly, a Web visitor is, is known as authentication. In both classic ASP and ASP.NET, there are a number of ways you can authenticate a user - the simplest is to validate an entered username and password that you have stored in a database (oftentimes referred to as form validation, since the user enters their username/password via a form). (There are other techniques as well, such as NT Challenge/Response, but we won't be examining those in this article.)

- continued -

While implementing a simple authentication scheme in classic ASP was not overly difficult (read Simple Authentication for more information), it was also not overly easy. With ASP.NET, however, forms authentication is a breeze.

In this article I'd like to present an introduction to the .NET FormsAuthentication provider and how you can use it to secure your ASP.NET applications. Through the course of the article we will look at the following areas:

  • Basic Security Overview.
  • What are Authentication Providers?
  • Configuring your Application to use a Provider.
  • Create a Login Form that works with Authentication Code.
  • Peek under the covers at the Authentication Cookie.
Let's get started!

Security Overview

Most Web sites need to selectively restrict access to certain areas within a web site. Obviously certain areas/pages will allow the public to come in and browse, however areas that contain more sensitive information such as Ordering Information, Staff Names, etc. need to allow access only to authenticated users. (Additionally, you may have personalized areas, akin to site's like My Yahoo!, where you need to the visitor to be authenticated so that you can generate the customized content specifically for them.)

One of the new features of ASP.NET is Forms Authentication. Like in classic ASP, where custom database authentication occurred through the user entering his or her login credentials via an HTML form, ASP.NET Forms Authentication works similarly. However, using this neat feature, many of the mundane tasks and code that you were required to write in classic ASP are handled for you automagically.

Forms Authentication in ASP.NET is handled by a special FormsAuthentication class. This class contains a number of static (or Shared) methods that allow you to identify users via a login form. You can easily configure your ASP.NET application to use Forms Authentication by simply specifying a location (URL) for your login form - ASP.NET does most of the work from there! When an unauthenticated user visits a restricted page on your Web site they will be automatically directed to the specified login form. Once they successfully log on, you can optionally issue an authentication cookie to prevent authenticated users from having to log in time and time again.

There are two very important features of a Security System that we should formally define, one of which I've already mentioned a number of times in the article:

    Authentication - Authentication is the means by which you obtain the Identity of the User by validating their credentials against a known Authority, ie: Active Directory, Database Store, Microsoft Passport Account etc. If the credentials can't be validated then the Authentication process fails and the User will assume the Identity of IUSR_Anonymous. Remember that the Web is anonymous by nature, so they only way to determine who a particular visitor is to authenticate them by having them provide user credentials (a username/password, usually).

    Authorization - Authorization occurs after Authentication and involves using information obtained during the Authentication process to determine whether to grant or deny access to a given resource based on that Users role in the Application. That is, if you are trying to access a Web page that only a particular user can access, the first step performed is to authenticate you - who is this guy making the request? - and then, based on that authentication, you must be authorized to view the particular data you are requesting.

Authentication Providers
In the world of .NET, Authentication is implemented via Providers. Providers are basically Classes that contain Static Methods to assist in authenticating requests from Clients. Static (or Shared) methods are Public members that can be accessed without first instantiating the Class. For example, when using a nonstatic method you must first create an instance of the class:

' Calling a non-static method
Dim myObject as New CustomObject
myObject.SomeMethod()

Whereas with static methods you do not need to create such an instance to use the method:

'Call the static method SomeMethod of the CustomObject class
CustomObject.SomeMethod()

An ASP.NET Application can be configured to use one of four different Authentication Providers to help manage and maintain the State during the Authentication process. They are:

  • Forms Authentication (Cookie) - the provider we're going to discuss in this article!
  • Windows Authentication
  • Passport Authentication
  • None

Choosing a Provider
With Forms Authentication you create a login form with the logic to validate a user and .NET will create a Cookie on successful validation which the Application will check for on each Client request. When you use Windows Authentication you do not need to create a login form as the Authentication process is handled by IIS meaning that little or no code needs to be written by the Developer when using this method. When using the Passport Authentication provider you need to have the Passport SDK installed and also be a registered member to use the service. With Passport Authentication unauthenticated requests are re-directed to the Passport site to have their credentials validated and then returned with a valid Cookie attached.

To implement one of these Authentication Providers you simply make the following entry in the Authentication settings of the Web.config located in the Root directory of your application.

' web.config file
<configuration>
    <system.web>     
        <authentication mode= "[Windows/Forms/Passport/None]">
        </authentication>
    </system.web>
</configuration>

Note: As you will see shortly, an ASP.NET Application can have multiple Web.config files located in different directories. In this way you can enforce different settings for different directories, the Authentication Tag can only be configured at the Application root level, otherwise an error will be thrown by the Application.

In Part 2 we'll examine how to configure the forms authentication in the Web.config file.

  • Read Part 2!

    Windows Internet Technology | ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article



    • JupiterOnlineMedia

    internet.comearthweb.comDevx.commediabistro.comGraphics.com

    Search:

    Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

    Jupitermedia Corporate Info


    Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

    Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
    Solutions
    Whitepapers and eBooks
    Microsoft Article: HyperV-The Killer Feature in WinServer ‘08
    Avaya Article: How to Feed Data into the Avaya Event Processor
    Microsoft Article: Install What You Need with Win Server ‘08
    HP eBook: Putting the Green into IT
    Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
    Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
    Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
    		 Avaya Article: Setting Up a SIP A/S Development Environment
    IBM Article: How Cool Is Your Data Center?
    Microsoft Article: Managing Virtual Machines with Microsoft System Center
    HP eBook: Storage Networking , Part 1
    Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
    MORE WHITEPAPERS, EBOOKS, AND ARTICLES
    Webcasts
    Intel Video: Are Multi-core Processors Here to Stay?
    On-Demand Webcast: Five Virtualization Trends to Watch
    HP Video: Page Cost Calculator
    Intel Video: APIs for Parallel Programming
    		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
    Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
    MORE WEBCASTS, PODCASTS, AND VIDEOS
    Downloads and eKits
    Sun Download: Solaris 8 Migration Assistant
    Sybase Download: SQL Anywhere Developer Edition
    Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
    		 Red Gate Download: SQL Compare Pro 6
    Iron Speed Designer Application Generator
    MORE DOWNLOADS, EKITS, AND FREE TRIALS
    Tutorials and Demos
    How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
    eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
    IBM Article: Collaborating in the High-Performance Workplace
    HP Demo: StorageWorks EVA4400
    		 Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
    Microsoft How-to Article: Get Going with Silverlight and Windows Live
    MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES