When you think ASP, think...
Recent Articles xml
All Articles
ASP.NET Articles
Related Web Technologies
User Tips!
Coding Tips
spgif spgif

Sample Chapters
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Stump the SQL Guru!
XML Info
Author an Article
spgif spgif
ASP ASP.NET ASP FAQs Feedback topnav-right
Print this page.
Published: Wednesday, October 31, 2001

Using Forms Authentication in ASP.NET

By Darren Neimke

For More Information...
For more information on forms-based authentication in ASP.NET be sure to read this article's follow-up articles: Also check out the User Authentication section here on 4Guys.

Many Web sites today behave more like distributed applications than mere content providers. We're all likely familiar with some sort of Web site that has user accounts, be it an eCommerce application like Amazon.com, or a game site where you can log on and play against other Netizens. The process of determining who, exactly, a Web visitor is, is known as authentication. In both classic ASP and ASP.NET, there are a number of ways you can authenticate a user - the simplest is to validate an entered username and password that you have stored in a database (oftentimes referred to as form validation, since the user enters their username/password via a form). (There are other techniques as well, such as NT Challenge/Response, but we won't be examining those in this article.)

- continued -

While implementing a simple authentication scheme in classic ASP was not overly difficult (read Simple Authentication for more information), it was also not overly easy. With ASP.NET, however, forms authentication is a breeze.

In this article I'd like to present an introduction to the .NET FormsAuthentication provider and how you can use it to secure your ASP.NET applications. Through the course of the article we will look at the following areas:

  • Basic Security Overview.
  • What are Authentication Providers?
  • Configuring your Application to use a Provider.
  • Create a Login Form that works with Authentication Code.
  • Peek under the covers at the Authentication Cookie.
Let's get started!

Security Overview

Most Web sites need to selectively restrict access to certain areas within a web site. Obviously certain areas/pages will allow the public to come in and browse, however areas that contain more sensitive information such as Ordering Information, Staff Names, etc. need to allow access only to authenticated users. (Additionally, you may have personalized areas, akin to site's like My Yahoo!, where you need to the visitor to be authenticated so that you can generate the customized content specifically for them.)

One of the new features of ASP.NET is Forms Authentication. Like in classic ASP, where custom database authentication occurred through the user entering his or her login credentials via an HTML form, ASP.NET Forms Authentication works similarly. However, using this neat feature, many of the mundane tasks and code that you were required to write in classic ASP are handled for you automagically.

Forms Authentication in ASP.NET is handled by a special FormsAuthentication class. This class contains a number of static (or Shared) methods that allow you to identify users via a login form. You can easily configure your ASP.NET application to use Forms Authentication by simply specifying a location (URL) for your login form - ASP.NET does most of the work from there! When an unauthenticated user visits a restricted page on your Web site they will be automatically directed to the specified login form. Once they successfully log on, you can optionally issue an authentication cookie to prevent authenticated users from having to log in time and time again.

There are two very important features of a Security System that we should formally define, one of which I've already mentioned a number of times in the article:

    Authentication - Authentication is the means by which you obtain the Identity of the User by validating their credentials against a known Authority, ie: Active Directory, Database Store, Microsoft Passport Account etc. If the credentials can't be validated then the Authentication process fails and the User will assume the Identity of IUSR_Anonymous. Remember that the Web is anonymous by nature, so they only way to determine who a particular visitor is to authenticate them by having them provide user credentials (a username/password, usually).

    Authorization - Authorization occurs after Authentication and involves using information obtained during the Authentication process to determine whether to grant or deny access to a given resource based on that Users role in the Application. That is, if you are trying to access a Web page that only a particular user can access, the first step performed is to authenticate you - who is this guy making the request? - and then, based on that authentication, you must be authorized to view the particular data you are requesting.

Authentication Providers
In the world of .NET, Authentication is implemented via Providers. Providers are basically Classes that contain Static Methods to assist in authenticating requests from Clients. Static (or Shared) methods are Public members that can be accessed without first instantiating the Class. For example, when using a nonstatic method you must first create an instance of the class:

' Calling a non-static method
Dim myObject as New CustomObject

Whereas with static methods you do not need to create such an instance to use the method:

'Call the static method SomeMethod of the CustomObject class

An ASP.NET Application can be configured to use one of four different Authentication Providers to help manage and maintain the State during the Authentication process. They are:

  • Forms Authentication (Cookie) - the provider we're going to discuss in this article!
  • Windows Authentication
  • Passport Authentication
  • None

Choosing a Provider
With Forms Authentication you create a login form with the logic to validate a user and .NET will create a Cookie on successful validation which the Application will check for on each Client request. When you use Windows Authentication you do not need to create a login form as the Authentication process is handled by IIS meaning that little or no code needs to be written by the Developer when using this method. When using the Passport Authentication provider you need to have the Passport SDK installed and also be a registered member to use the service. With Passport Authentication unauthenticated requests are re-directed to the Passport site to have their credentials validated and then returned with a valid Cookie attached.

To implement one of these Authentication Providers you simply make the following entry in the Authentication settings of the Web.config located in the Root directory of your application.

' web.config file
        <authentication mode= "[Windows/Forms/Passport/None]">

Note: As you will see shortly, an ASP.NET Application can have multiple Web.config files located in different directories. In this way you can enforce different settings for different directories, the Authentication Tag can only be configured at the Application root level, otherwise an error will be thrown by the Application.

In Part 2 we'll examine how to configure the forms authentication in the Web.config file.

  • Read Part 2!

  • ASP.NET [1.x] [2.0] | ASPFAQs.com | Advertise | Feedback | Author an Article