Using Forms Authentication in ASP.NETBy Darren Neimke
|For More Information...|
|For more information on forms-based authentication in ASP.NET be sure to read this article's follow-up articles: User Authentication section here on 4Guys.|
Many Web sites today behave more like distributed applications than mere content providers. We're all likely familiar with some sort of Web site that has user accounts, be it an eCommerce application like Amazon.com, or a game site where you can log on and play against other Netizens. The process of determining who, exactly, a Web visitor is, is known as authentication. In both classic ASP and ASP.NET, there are a number of ways you can authenticate a user - the simplest is to validate an entered username and password that you have stored in a database (oftentimes referred to as form validation, since the user enters their username/password via a form). (There are other techniques as well, such as NT Challenge/Response, but we won't be examining those in this article.)
While implementing a simple authentication scheme in classic ASP was not overly difficult (read Simple Authentication for more information), it was also not overly easy. With ASP.NET, however, forms authentication is a breeze.
In this article I'd like to present an introduction to the .NET FormsAuthentication provider and how you can use it to secure your ASP.NET applications. Through the course of the article we will look at the following areas:
- Basic Security Overview.
- What are Authentication Providers?
- Configuring your Application to use a Provider.
- Create a Login Form that works with Authentication Code.
- Peek under the covers at the Authentication Cookie.
Most Web sites need to selectively restrict access to certain areas within a web site. Obviously certain areas/pages will allow the public to come in and browse, however areas that contain more sensitive information such as Ordering Information, Staff Names, etc. need to allow access only to authenticated users. (Additionally, you may have personalized areas, akin to site's like My Yahoo!, where you need to the visitor to be authenticated so that you can generate the customized content specifically for them.)
One of the new features of ASP.NET is Forms Authentication. Like in classic ASP, where custom database authentication occurred through the user entering his or her login credentials via an HTML form, ASP.NET Forms Authentication works similarly. However, using this neat feature, many of the mundane tasks and code that you were required to write in classic ASP are handled for you automagically.
Forms Authentication in ASP.NET is handled by a special
FormsAuthentication class. This
class contains a number of static (or Shared) methods that allow you to identify users via a login form.
You can easily configure your ASP.NET application to use Forms Authentication by simply specifying a
location (URL) for your login form - ASP.NET does most of the work from there! When an unauthenticated
user visits a restricted page on your Web site they will be automatically directed to the specified
login form. Once they successfully log on, you can optionally issue an authentication cookie to
prevent authenticated users from having to log in time and time again.
There are two very important features of a Security System that we should formally define, one of which I've already mentioned a number of times in the article:
Authentication is the means by which you obtain the Identity of the User by validating their
credentials against a known Authority, ie: Active Directory, Database Store, Microsoft
Passport Account etc. If the credentials can't be validated then the Authentication process
fails and the User will assume the Identity of
IUSR_Anonymous. Remember that the Web
is anonymous by nature, so they only way to determine who a particular visitor is to authenticate
them by having them provide user credentials (a username/password, usually).
Authorization - Authorization occurs after Authentication and involves using information obtained during the Authentication process to determine whether to grant or deny access to a given resource based on that Users role in the Application. That is, if you are trying to access a Web page that only a particular user can access, the first step performed is to authenticate you - who is this guy making the request? - and then, based on that authentication, you must be authorized to view the particular data you are requesting.
In the world of .NET, Authentication is implemented via Providers. Providers are basically Classes that contain Static Methods to assist in authenticating requests from Clients. Static (or Shared) methods are Public members that can be accessed without first instantiating the Class. For example, when using a nonstatic method you must first create an instance of the class:
Whereas with static methods you do not need to create such an instance to use the method:
An ASP.NET Application can be configured to use one of four different Authentication Providers to help manage and maintain the State during the Authentication process. They are:
- Forms Authentication (Cookie) - the provider we're going to discuss in this article!
- Windows Authentication
- Passport Authentication
Choosing a Provider
With Forms Authentication you create a login form with the logic to validate a user and .NET will create a Cookie on successful validation which the Application will check for on each Client request. When you use Windows Authentication you do not need to create a login form as the Authentication process is handled by IIS meaning that little or no code needs to be written by the Developer when using this method. When using the Passport Authentication provider you need to have the Passport SDK installed and also be a registered member to use the service. With Passport Authentication unauthenticated requests are re-directed to the Passport site to have their credentials validated and then returned with a valid Cookie attached.
To implement one of these Authentication Providers you simply make the following entry in the
Authentication settings of the
Web.config located in the Root directory of your
Note: As you will see shortly, an ASP.NET Application can have multiple
Web.config files located
in different directories. In this way you can enforce different settings for different directories,
the Authentication Tag can only be configured at the Application root level, otherwise an error will
be thrown by the Application.
In Part 2 we'll examine how to configure the forms authentication