There are four types of authentication in ASP.NET:
- Windows authentication
- Forms authentication (used by the membership API)
- Passport authentication (mostly obsolete, consider Windows Live instead)
- Anonymous access
Forms Authentication is a token-based auth method. After login, the user gets an encrypted cookie with the login information. This token can also be stored in the query string, but more of it later. The process is simple:
- The client makes a request.
- IIS (if configured properly for Forms Authentication) passes the request to ASP.NET.
- ASP.NET checks for an authentication cookie (or info). If found it, proceeds to step 7.
- Redirects the user to the login page (default Login.aspx in machine.config).
- User enters credentials, ASP.NET authenticated. If authentication fails, access will be denied.
- If authentication succeeds, a cookie will be attached.
- ASP.NET tests the authorization settings and the current user.
- If fails, access will be denied, else access granted.
Pros to use Forms Authentication:
- Full control over the authentication code, via Membership API.
Cons of using Forms Authentication:
- Security issues (use SSL, for example).
- Build an infrastructure for the credentials, and maintain them.
- Set up the user interface by hand.
How to implement Forms Authentication?
- Configure it in web.config.
- Configure IIS to allow anonymous users, configure ASP.NET to restrict them.
- Create a login page for users.
A little detail: cookies are encrypted with a machine key, defined in machine.config. When deploying applications with Forms Authentication to a web farm, you need to be sure that all the machines use the same key, because if it’s not the case, they won’t be able to interpret each other’s cookies.
To configure forms authentication, simply set authentication mode to Forms in the web.config. Authentication tag has a forms tag, with the following set of child tags:
- name: the default is .ASPXAUTH, defines the name of the HTTP cookie for authentication.
- loginUrl (login.aspx): defines the URL of your login page.
- timeout (30): time before the authentication cookie expires, in minutes.
- slidingExpiration(true): set it to disable the automatic increment of the cookies expiration with every request.
- cookiless (UseDeviceProfile): sets the usage of cookies in authentication processes. The values:
- AutoDetect – checks whether the browser is actually configured to deny or allow cookies. If denies, uses the query string to store information.
- UseUri – use the query string in all cases.
- UseDeviceProfile – checks whether a browser is capable of using cookies, then try to use them. If cookies turned off, result in error.
- protection (All): sets the protection of the cookie. Values are None, Encryption, Validation, All (both).
- requireSSL (false): nomen est omen.
- enableCrossAppRedirects (false): makes sense only when the target app uses the same credential datastore.
- defaultUrl (default.aspx): if the user browses directly the login page, this will be the page where he/she will be redirected after login.
- domain: define a domain.
- path (/): where to store the cookie.
Credentials in web.config:
It is possible to store user credentials in web.config (for strictly the time of debugging). The code looks like:
<user name=”UserName” password=”p4ssw0rd”/>
Deny access to Anonymous Users:
Simply <authorization><deny users=”?”/></authorization>
The controls of Forms Authentication:
Login – as the name shows, provides a way to log in.
LoginStatus: a login button when logged out, the opposite when logged in.
LoginName: shows the current user name.
CreateUserWizard: a wizard for registration.
LoginView: a view which can change its content depending of the state, role, etc. of the current user.
PasswordRecovery, ChangePassword: no comment required.