Form authentication in asp.net 2.0

Summary: This tutorial illustrates how forms authentication works in asp.net version 2.0, illustrates how IIS and asp.net authentication work together, and formsauthenticationmodule the roles and actions of classes.

Overview

Forms authentication uses the authentication ticket that is created when the user logs on to the site, and then tracks the user throughout the site. Form authentication tickets are usually included in a Cookie. However, ASP.net version 2.0 supports no Cookie form authentication, resulting in the ticket being passed into the query string.

If a user requests a page that requires authenticated access, and the user has not previously logged on to the site, the user is redirected to a configured login page. The login page prompts the user for credentials (usually a user name and password). These credentials are then passed to the server and validated against user storage, such as the SQL Server database. In asp.net 2.0, user storage Access can be handled by the membership provider. After authenticating the user's credentials, the user redirects to the original requested page.

Forms authentication processing is implemented by the FormsAuthenticationModule class, which is an HTTP module that participates in the regular asp.net page processing loop. This article illustrates the working mechanism of form authentication in asp.net 2.0.

IIS Authentication

asp.net authentication is divided into two steps. First, Internet Information Services (IIS) authenticates the user and creates a Windows token to represent the user. IIS determines which authentication mode should be used for a particular application by looking at the IIS metabase settings. If IIS is configured to use Anonymous authentication, generate a token for the IUSR_MACHINE account and use it to represent anonymous users. IIS then passes the token to the asp.net.

Second, ASP.net performs its own authentication. The authentication method used is specified by the Mode property of the authentication element. The following authentication configuration specifies that asp.net use the FormsAuthenticationModule class:

<authentication mode= "Forms"/>

Note Because forms authentication is not dependent on IIS authentication, if you want to use forms authentication in an asp.net application, you should configure anonymous access for your application in IIS.

asp.net forms authentication

ASP.net form authentication occurs after IIS authentication completes. You can use the forms element to configure forms authentication.

Forms Authentication Configuration

The following configuration file fragment displays the default property values for forms authentication.

<system.web>
　<authentication mode="Forms">
　　<forms loginUrl="Login.aspx"
　　　　　 protection="All"
　　　　　 timeout="30"
　　　　　 name=".ASPXAUTH"
　　　　　 path="/"
　　　　　 requireSSL="false"
　　　　　 slidingExpiration="true"
　　　　　 defaultUrl="default.aspx"
　　　　　 cookieless="UseDeviceProfile"
　　　　　 enableCrossAppRedirects="false" />
　</authentication>
</system.web>