ASP.--form Authentication

This article collects from----MSDN

One: Forms authentication process

In the Forms authentication scenario, the application collects credentials such as a name and password directly from the user and judges the authenticity of the information itself. The application does not use IIS authentication, but IIS authentication settings can affect Forms authentication. As a rule, when you use Forms authentication, enable anonymous access in IIS. Otherwise, if the user is not authenticated by IIS, they cannot even access the application to provide the user name and password for Forms authentication.

The data flow in this scenario is as shown.

Forms Authentication

This diagram illustrates the following sequence of events:

1. The user generates a request for a protected resource.

2. iis receives the request, and because IIS anonymous access is enabled, IIS does not perform any user authentication and passes the request to the ASP.

3. because the ASP. NET authentication mode is set to forms,asp.net the application will check the FORMS authentication ticket request (specific Cookies). If no authentication ticket is connected to the request, ASP. NET will redirect the request to the login page specified in the application's configuration file.

4. The authentication ticket issued is included in subsequent requests to the ASP. ASP. NET uses the message authentication check (MAC) to check the validity of the authentication ticket.

5. If the user is authorized, the user will be allowed access to the protected resource, or the application will require additional credential testing before authorizing access to the protected resource, depending on the design of the application.

Two: Form Authentication control Flow

The control flow for ASP. Forms authentication is shown in the following table.

Browser and HTTP operations	Server reply
Requests a protected resource from the server. The HTTP operation is: Get/default.aspx	If no authentication Cookie exists, the request is redirected to the login page to collect credentials. Use RETURNURL as the keyword to place information about the start page in the query string. The server HTTP reply is: 302 Foundlocation:http://samples.microsoft.com/logon.aspx?returnurl=/default.aspx
Redirect to the login page. The HTTP operation is: Get/logon.aspx? Returnurl=/default.aspx	Returns to the login page. For security reasons, we recommend that you use Secure Sockets Layer (SSL) for the logon page to prevent user credentials from being sent in clear text. The server HTTP reply is: OK
After the user enters credentials on the login page, submit the page. The HTTP operation is:    post/logon.aspx? Returnurl=/default.aspx	Validates the user credentials and redirects the browser to  QueryString  as   if the credentials are authenticated; RETURNURL the original URL specified by the   variable. By default, the authentication ticket is issued as a Cookie. note You can use  CookieMode  property, which specifies that the authentication ticket is included in the URL instead of being included in the Cookie. Server HTTP reply is:    302 foundlocation:/default.aspx
Follow the redirect operation and request the original resource again. The HTTP operation is: Get/default.aspx	If the user is authenticated, it allows access and grants an authentication cookie that contains the authentication ticket. Subsequent requests for the same browser session are authenticated when the module examines the Cookie. You can create a persistent cookie that can be used for future sessions, but the cookie is valid until the expiration date. The server HTTP reply is: okset-cookie:aspxticket=abcdefg12345; path=/ Note that the Cookie path is set to/. Because Cookie names are case-sensitive, this helps to prevent inconsistencies in the case of URLs in the site. For example, if the path is set to/savingsplan and the link contains/savingsplan, the user will be forced to re-authenticate because the browser does not send a Cookie.

Three: Simple implementation of form authentication

The examples in this topic demonstrate the simple implementation of ASP. NET Forms authentication. The example is intended to illustrate the basics of how to use Forms Authentication to allow users to log on to an ASP.

Attention

One convenient way to use Forms authentication is to use the ASP. NET membership and the ASP. NET login control. ASP. NET membership provides a way to store and manage user information, and includes methods for authenticating users. The ASP. NET login control uses ASP. NET membership and encapsulates the logic required to prompt the user for credentials, authenticate users, recover or replace passwords, and so on. In fact, the ASP. NET membership and the ASP. NET login control provide an abstraction layer on top of forms authentication, replacing most or even all of the work that you typically have to do to use forms authentication. For more information, see Using Membership Management Users and ASP. NET login Controls Overview.

In the scenario for this example, the user requests a protected resource, which is a page named Default.aspx. Only one user can access this protected resource: [email protected], whose password is "37yj*99p". The user name and password are hard-coded into the Logon.aspx file. The example requires three files: a Web. config file, a page named Logon.aspx, and a page named Default.aspx. These files are located in the application root directory.

configuring applications to use Forms authentication

2. If the application has a Web. config file in its root directory, open the file.

4. If the Web. config file is not in the root folder of your application, create a text file named Web. config and add the following elements to it:

   <?xml version= "1.0"? ><configuration xmlns= "http://schemas.microsoft.com/. netconfiguration/v2.0 ">    <system.web>    </system.web></configuration>

6. In the system.web element, create a authentication element and set its mode property to Forms, as shown in the following example:

   <system.web>  <authentication mode= "Forms" >  </authentication></system.web>

8. authentication   element, create a   forms   element and set the following properties:

   • loginurl      set to "logon.aspx". Logon.aspx is the URL that ASP. NET uses when it cannot find the authentication Cookie that contains the requested content.

   • name     set to ". Aspxformsauth ". This is the suffix that is set for the name of the Cookie that contains the authentication ticket.

     

    <system.web> <authentication mode= "Forms" > <forms loginurl= " Logon.aspx "Name=". Aspxformsauth "> </forms> </authentication></system.web> 

10. In the system.web element, create a authorization element.

    <system.web>  <authentication mode= "Forms" >    <forms loginurl= "logon.aspx" name= ". Aspxformsauth ">    </forms>  </authentication>  <authorization>  </ Authorization></system.web>

12. In the authorization element, create a deny element and set its users property to "?". This is the specified user that will be denied unauthenticated (by "?" Represents) access to resources in the application.

    <system.web>  <authentication mode= "Forms" >    <forms loginurl= "logon.aspx" name= ". Aspxformsauth ">    </forms>  </authentication>  <authorization>    <deny users= "?"/>  </authorization></system.web>

14. Save and close the Web. config file.

Create a login page

When users request any page from a Web site, they are redirected to a page named Logon.aspx if they have not previously been authenticated. You previously specified the file name in the Web. config file.

The Logon.aspx page collects user credentials (e-mail addresses and passwords) and authenticates them. If the user successfully authenticates, the login page redirects the user to the page they originally requested. In this example, the valid credentials are hardcoded into the page code.

Safety note
The example contains a text box that accepts user input, which is a potential security threat. By default, ASP. NET Web pages Verify that user input does not include scripts or HTML elements. For more information, see Scripting Intrusion Overview.

Create a login page

1. Create an ASP. NET page named Logon.aspx in the application root folder.

2. Copy the following markup and code to the page:

<%@ page language= "C #"%><%@ Import namespace= "System.Web.Security"%><script runat= "Server" > void Logon_click (object sender, EventArgs e) {if ((Useremail.text = = "[email protected]") && (use Rpass.text = = "37yj*99ps") {FormsAuthentication.RedirectFromLoginPage (Useremail.text, Persis      t.checked); } else {msg.text = "Invalid credentials. Please try again. ";}} </script>
This page contains the ASP. NET server controls and a check box for collecting user information, and when the user clicks the check box, their logon credentials are saved. The click handler for the Sign In button contains code that checks the user's e-mail address and password against hard-coded values. (The password is a strong password that contains a variety of non-alphabetic characters and is at least eight characters long.) If the user's credentials are correct, the code invokes the RedirectFromLoginPage method of the FormsAuthentication class and passes the user name and a Boolean value from the check box indicating whether to save the authentication ticket as a Cookie. This method redirects the user to the page that was originally requested. If the user's credentials do not match, an error message is displayed. Note that the page imports the System.Web.Security namespace that contains the FormsAuthentication class.
Create a default page
For this example, you will create an ASP. NET page in the application root folder. Because you specify in the configuration file that all unauthenticated users are denied access to the application's ASP. NET resources (including. aspx files, but not static files, such as HTML files or multimedia files including images, music, and so on), when the user requests the page, the Forms Authentication checks the user's credentials and redirects the user to the login page when necessary. The page that you create will also allow users to log off to clear their saved authentication ticket (Cookie).
Create a default page
 
 

  
  
 
   
Create an ASP. NET page named Default.aspx in the application root folder.
 
   
Copy the following markup and code to the page:
 
  
 
 
<%@ page language= "C #"%>
This page shows the authenticated identity of the user, which is set by the FormsAuthentication class and is provided as a Context.User.Identity.Name property in an ASP. The click handler for the  logout button contains code that calls the SignOut method to clear the user identity and remove the authentication ticket (Cookie). The user is then redirected to the login page.