There are three types of authentication for ASP. Windows | Forms | Passport ", which is the most and most flexible for forms verification.
Windows: Using IIS Authentication Methods
forms: Using Forms-based authentication
Passport: Using Passport cookie Authentication mode
None: Do not use any authentication method
1. Forms
The Forms authentication method provides good support for user-based authentication authorization, which can authenticate the user through a login page, send the user's identity back to the client's cookie, and then the user accesses the Web app and sends it to the server along with this identity cookie. The authorization settings on the server can control the access authorization of different users according to different directories.
The problem is that in practical applications we often need to be based on roles, or authentication and authorization based on user groups. For a Web site, the general mode of authentication authorization should be: according to the actual needs of the user into different identities, that is, the role, or the user group, verification process not only to verify the identity of the user itself, but also to verify that it belongs to which role. Access authorization is set based on roles, what resources some roles can access, what resources are not accessible, and so on. If the user-based access will be a very impractical approach, the user has a lot of, but also may be at any time to increase or decrease, it is not possible in the configuration file for the increasing number of new users to add access to authorization.
Here's a look at the process of forms.
Basic principles of Forms authentication:
To use Forms authentication, you first need to make the appropriate settings in Web. config in the application root directory:
<authentication mode= "Forms" > <forms name= ". Aspxauth "slidingexpiration=" true "Loginurl="/login.aspx "timeout=" "path="/"domain=". ABC.com "> </forms> </authentication>
The <authentication> section allows you to configure the Secure authentication mode that ASP. NET uses to identify incoming users.
where <authentication mode= "Forms" > indicates that the application uses forms authentication.
The name in the <forms> tag indicates the HTTP Cookie to be used for authentication. By default, the value of name is. Aspxauth. After authenticating the user in this way, a FormsAuthenticationTicket type of authentication ticket is established with this user's information, and then the encryption is serialized to a string, Finally, this string is written to the client's name in the specified name of the cookie. Once this cookie is written to the client, the user will be sent to the server with a cookie once it is posted to the Web app, and the server will know that the user has been authenticated.
And look at what information the authentication ticket contains, let's look at the FormsAuthenticationTicket class:
Cookiepath: Returns the path where the Cookie was issued. Note that the path of the form is set to/. Because the form is case-sensitive, this is a safeguard that is taken to prevent inconsistencies in the case of URLs in the site. This uses expiration when refreshing a cookie: Gets the date/time when the cookie expires. Ispersistent: Returns True if a persistent Cookie has been issued. Otherwise, the authentication Cookie will be limited to the browser lifecycle. IssueDate: Gets the date/time when the Cookie was originally issued. Name: Gets the user name associated with the authentication Cookie. UserData: Gets the application definition string stored in the Cookie. Version: Returns the byte revision number for future use.
2. Windows
Provides information about how to use Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication to ensure the security of your ASP.
3. Passport
Passport authentication is a centralized authentication service provided by Microsoft that provides a single sign-on and core profile service for member sites. Because you no longer need to log in when you access a new protected resource or site, it is beneficial to users. You should use this provider if you want your site to be compatible with Passport authentication and authorization. This topic provides introductory materials about Microsoft. NET Passport and its ASP. For more information, see Passport documents located in Http://www.pplsunny.com/business. To access the document, you must obtain a Passport and register.
Passport is a Cookie-based authentication service. A sample transactional conversation that uses Passport authentication might resemble the following:
The customer makes an HTTP GET request to a protected resource, such as http://www.pplsunny.com/default.aspx. The
checks whether the customer's Cookie has an existing Passport authentication ticket. If a site finds valid credentials, the site authenticates the customer. If the request does not include a valid authentication ticket, the server returns status code 302 and redirects the customer to the Passport logon service. The response contains a URL in the query string that is sent to the Passport sign-in service to direct the customer back to the original site. The
customer follows the redirect, issues an HTTP GET request to the Passport logon server, and transmits the query string information from the original site.
Passport logon server provides a login form to the customer. The
customer fills out the form and uses Secure Sockets Layer (SSL) to send back to the logon server via POST. The
Logon server authenticates the user and redirects the customer back to the original URL (http://www.pplsunny.com/default.aspx). The response contains an encrypted Passport Cookie in the query string.
customers follow redirects and request the original protected resource again, this time using a Passport Cookie.
on the starting server, PassportAuthenticationModule detects the presence of a Passport Cookie and tests for authentication. If successful, the request is authenticated.