Forms Security Authentication in ASP. NET 2.0

Source: Internet
Author: User

That is, the Membership class and FormsAuthentication are used together to create a user management and authentication system.
Of course, these two parts can be used independently. Today, we will focus on the latter. As for the former, I will write it in the next article.

ASP. NET provides a variety of authentication methods, such as the well-known Windows Authentication
In Windows Authentication mode, the current User attribute value is set to WindowsIdentity Based on the creden。 provided by IIS, but it does not modify the Windows identity provided to the operating system. The Windows identity provided to the operating system is used for permission checks (such as NTFS file permission checks) or for connecting to the database using integrated security. By default, this Windows identifier is the identifier of an ASP. NET process. On Microsoft Windows 2000 and Windows XP Professional, this identity is the identity of the ASP. NET auxiliary process, that is, the local ASPNET account. On Windows Server 2003, this ID is the ID of the IIS application pool to which ASP. NET applications belong. By default, this ID is a network service account.
By enabling the simulation function, you can configure the Windows identity of the ASP. NET application as the Windows identity provided by IIS. That is to say, instruct the ASP. NET application to simulate the identity provided by IIS for all tasks (including file and network access) verified by the Windows operating system. (From the MSDN Library)

Another common authentication is Forms authentication.
Forms authentication allows Web applications that do not require Windows authentication to perform user and password authentication. When Forms authentication is used, user information is stored in external data sources, such as the Member database or in the application configuration file. After a user passes authentication, Forms authentication maintains an authentication ticket in the Cookie or URL. In this way, authenticated users do not need to provide creden。 at each request.

In this way, it is convenient and secure. How can I complete the settings of Forms identity authentication?

First open the configuration file web. config
Find the <authentication> and <authorization> nodes under the <system. web> node to add
<System. web>
<Authentication mode = "Forms">
<Forms loginUrl = "login. aspx"/>
<Deny users = "? "/>
<Authentication> nodes are used to set authentication methods. Here we create Forms
<Forms> you can set the authentication page (logon page), default page, whether to use cookies, and authentication timeout for attributes in a node.
Here we only specify the authentication page loginUrl = "login. aspx"
<Authorization> A node is an authentication node.
<Deny> deny the specified node attribute users = "? "That is, all unauthenticated users must go to the authentication page for authentication.
Which corresponds to the <allow> allowed Node

In this way, the idea is clear. No matter what Page Server the user accesses, it will determine whether the user has passed the authentication. if the user has not been transferred to the authentication page.

The next step is to determine how to complete the authentication in the login. aspx. cs file.
Public void Login_OnClick (object sender, EventArgs args)
If (BLL. CheckLogin (this. Txbusername. Text, this. Txbuserpwd. Text ))
FormsAuthentication. RedirectFromLoginPage (UsernameTextbox. Text, NotPublicCheckBox. Checked );
Msg. Text = "Login failed. Please check your user name and password and try again .";
Here, the CheckLogin (user name, password) method is used in the logic layer to verify whether the user is valid.
Of course, some verification methods inherited by the Membership class are simpler, but are not described in detail here.

FormsAuthentication class (I finally mentioned the main character). The namespace it belongs to is System. Web. Security;
FormsAuthentication is used to set the authentication class. If the user is valid, the user name is saved in the cookie. After that, the user does not need to authenticate again to access or access other pages.
Common internal methods include:
RedirectFromLoginPage (User Name (string), whether to keep the user name in coolie for a long time (bool ))
Redirects authenticated users back to the original requested URL or default URL

SetAuthCookie (User Name (string), whether to keep the user name in coolie for a long time (bool ))
Create an authentication ticket for the provided user name and add it to the Cookie set or URL of the response
And so on.

I hope you can explore the specific usage or in-depth exploration.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.