Forms-based Authentication in ASP.Net application
Hi,
Forms Authentication allows developers to store the authentication information, such as username and password, in the Web.config file. The user’s request will go to IIS first and the user is authenticated by IIS. If the anonymous access is enabled in IIS or the user is successfully authenticated, it will hand off the request to ASP.NET application. ASP.NET checks to see whether a valid authentication cookie is attached to the request. If it is, it means the user credentials has been previously authenticated. ASP.NET will then perform the authorization check. If the user is authorized to access those resources, the access will be granted. Otherwise, the “access-denied” message is sent.
If the request does not have any cookie attached, ASP.NET redirects the user to the login page and solicits the credentials then resubmits for authentication. The application code checks those credentials. If authenticated, ASP.NET will attach the authentication ticket in the form of cookie to the response. If failed, the user is redirected back to the login page telling the user that the username/password is invalid.
Setting up the Forms-based authentication involves 4 steps:
1. Enable anonymous access in IIS
This has to be done as most of the users are considered to be non-Windows users, so they can get through IIS to get to ASP.NET. ASP.NET will always allow anonymous access to the login page though.
2. Configure <authentication> section in Web.config file
Web.config file contains the information related to the level and type of authentication service that is provided for a web application. The Forms-based authentication is enabled for a web application
by setting the authentication mode attribute to Forms as shown below.
<authentication mode=”Forms”>
<forms>
Name=”.MyCookie”
loginUrl=”/login.aspx”
protection=”All”
timeout=”80"
path=”/”
</forms>
</authentication>
As shown in the code above, the Name attribute is the name of HTTP cookie. The attribute loginURL is set to Login.aspx, which is the web page that is used for authenticating user credentials. The requests are redirected to a particular URL in loginURL, if the user is not authenticated.
The cookie protection is set to All. This causes the ASP.NET runtime to not only encrypt the cookie contents, but also validate the cookie contents. The timeout is set to 80, which means in 80 minutes the authentication cookie will expire. The idea behind this is to reduce the chance someone stealing the form authentication cookie. By reducing this, the cookie will be regenerated more often. The path attribute refers to the path of cookie to be sent to the client. It is set to “/” which means the cookie path is the root directory. In the standard method of Forms Authentication, all user information is stored in the Web.config as shown below.
<authentication mode=”Forms”>
<forms>
Name=”.MyCookie”
loginUrl=”/login.aspx”
protection=”All”
timeout=”80"
path=”/”
<credentials passwordFormat=”Clear”>
<user name=”Sam” password=”Test”/>
<user name=”Ram” password=”Test”/>
</credentials>
</forms>
</authentication>
Creating a login page and write the code as shown below.
Sub Button_Click(ByVal s As Object, ByVal e As EventArgs)
If IsValid Then
If FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)
Else
lblMessage.Text = “Bad username/password!”
End If
End If
End Sub
Hope this helps.
Regards
bhar
Knowledge is power
http://www.vkinfotek.com
