Web Authentication Mode--form Authentication

Form validation is not an HTTP standard, but a validation method provided under the Microsoft ASP. NET Web framework. The approximate process is as follows:

In the process, ASP. NET Framework provides the following support classes: ( FormsAuthentication, FormsAuthenticationModule)

In the third step of the flowchart above, we verify the user name password.

-You can create a Formauthenticationticket object to deposit user data into it.

-Then call the tool method of the Formauthentication class encrypt get the ticket string that has been added

-Writes the ticket string to a cookie named Formauthentication.formcookiename

-In subsequent requests, the browser will bring the cookie.

In the fourth step of the flowchart above, Formauthenticationmodule will intercept the request in the IIS authenticate event

-Verify (decrypt) The value of the cookie that is carried in the request named Formauthentication.formcookiename

-If authentication is passed, create a Genericprinciple object with the user information that is carried in the cookie and save it in the HttpContext of the current request and set the request to authenticated

-If the validation does not pass, or if no corresponding cookie is found, return 401 to the browser

See Formauthenticationmodule source code.

To open the form Authenticate authentication method in an ASP. NET application, simply add the following configuration to the <system.web> configuration section:

<mode= "Forms">      <loginurl= "Login"  name= "JW." Auth "/>//here defines the login URL and the name of the cookie </authentication>

A link in the flowchart above is not described in steps 1 and 4 to verify that the user has permission to access the page. Asp. NET can deny users who are not logged in by configuring the following configuration to the <system.web> configuration section:

< Authorization >      <  users= "?" />//here to deny all login users, here can also add <allow> nodes allow specific users, role to launch a specific HTTP method, but not with the URL of the map feel a little bit of a chicken. You can implement your own validation logic in a real project </authorization>

Asp. NET Framework is authorized by configuration in the authorization request link of IIS by UrlAuthorizationModule this HTTP module in the above class diagram. An unauthorized request returns a 401 error.

See UrlAuthorizationModule Source code

Summary:

Form authentication is a built-in validation method in the ASP. NET Framework. It uses a cookie as a way to verify the ticket, and the cookie is valid by default in the session.

Test code See Https://github.com/lbwxly/Authentication

Web Authentication Mode--form Authentication