Asp.net authentication and authorization

1. In the following example, configure the website to use the asp.net forms authentication method in the web. config file:

Forms Authentication Settings:

Attribute	Description
Name	The name of the HTTP cookie to use fo r authentication (defaults. ASPXAUTH ). if multiple applications are running on the same web server, you should give each application's security cookie a unique name.
LoginUrl	Your custom login page, where the user is redirected if no valid authentication cookie is found. The default value is Login. aspx.
Protection	The type of encryption and validation used for the security cookie (can be All, None, Encryption, or Validation ). validation ensures the cookie isn' t changed during transit, and encryption (typically Triple-DES) is used to encode its contents. the default value is All.
Timeout	The number of idle minutes before the c ookie expires. ASP. NET will refresh the cookie every time it takes es a request. The default value is 30.
Path	The path for cookies issued by the app lication. The default value (/) is recommended, because case mismatches can prevent the c ookie from being sent with a request.

 

2. Authorization Rules (Authorization Rules)

When evaluating rules, ASP. NET scans through the listFrom top to bottomAnd then continues with the settings in any. config file inherited from a parent directory, ending with the settings in the base machine. config file. as soon as it finds an applicable rule, it stops it s search. thus, in the previous case, it will determine that the rule <allow users = "*"> applies to the current request and will not evaluate the second line. this means these rules will allow all users, including anonymous users.

Now these rules will deny anonymous users (by matching the first rule) and allow all other users (by matching the second rule ).

3. The Login Page (logon Page)

ASP. NET provides a specialFormsAuthentication class in the System. Web. Security namespace, Which provides static methods that help manage the process.

    (txtPassword.Text.ToLower() == = 

TheRedirectFromLoginPage ()Method requires two parameters. the first sets the name of the user. the second is a Boolean variable that specifies whether you want to create a persistent cookie (one that stays on the user's hard drive for a longer period of time ).

4. Retrieving the User's Identity

Once the user is logged in, you can retrieve the identity through the built-inUser property, As shown here:

 = += User.Identity.Name + 

5. Signing Out

6. Persistent Cookies (Persistent Cookies)

A persistent authentication cookie remains on the user's hard drive and keeps the user signed in for hours, days, or weeks-even if the user closes and reopens the browser.

Creating a persistent cookie requires a bit more code than creating a standard forms authentication cookie. Instead of using the RedirectFromLoginPage () method,You need to manually create the authentication ticket, Set its expiration time, encrypt it, attach it to the request, and then redirect the user to the requested page. all of these tasks are easy, but it's important to perform them all in the correct order.

The following code examines a check box named chkPersist. If it's selected, the code creates a persistent cookie that lasts for 20 days:

 (txtPassword.Text.ToLower() ==          timeout = ()TimeSpan.FromDays(        FormsAuthenticationTicket ticket =          encryptedTicket =        HttpCookie cookie =         cookie.Expires =         requestedPage =

It's worth noting thatFormsAuthentication. SignOut () methodWill always remove the forms authentication cookie, regardless of whether it is a normal cookie or a persistent cookie.