ASP.NET Forms Authentication Overview

  • Article

Forms authentication provides you with a way to authenticate users using your own code and then maintain an authentication token in a cookie or in the page URL. Forms authentication participates in the ASP.NET page life cycle through the FormsAuthenticationModule. You can access forms authentication information and capabilities through the FormsAuthentication class.

To use forms authentication, you create a logon page that collects credentials from the user and that includes code to authenticate the credentials. If the credentials are valid, you can call methods of the FormsAuthentication class to redirect the request to the originally requested resource with an appropriate authentication ticket (cookie). If you do not want the redirection, you can simply get the forms authentication cookie or set it.

You configure forms authentication using the authentication configuration element. In the simplest case, you can specify a URL to redirect unauthenticated requests to a logon page, supply a minimal implementation of a logon page, and supply valid credentials, either in the Web.config file or in a separate file. The following example shows a section from a configuration file that specifies a logon page and authentication credentials for the Authenticate method. The passwords have been encrypted using the HashPasswordForStoringInConfigFile method.

<authentication mode="Forms">
   <forms name="SavingsPlan" loginUrl="/Logon.aspx">
      <credentials passwordFormat="SHA1">
         <user name="Kim"
               password="07B7F3EE06F278DB966BE960E7CBBD103DF30CA6"/>
         <user name="John"
               password="BA56E5E0366D003E98EA1C7F04ABF8FCB3753889"/>
      </credentials>
   </forms>
</authentication>

After successful authentication, the FormsAuthenticationModule module populates the current User property with the information for the authenticated user. The following code example shows how to programmatically read the identity of the forms-authenticated user.

Dim authUser2 As String = User.Identity.Name

String authUser2 = User.Identity.Name;

Forms Authentication, ASP.NET Membership, and Login Controls

A convenient way to work with forms authentication is to use ASP.NET membership and ASP.NET login controls. ASP.NET membership provides a way to store and manage user information and includes methods to authenticate users. ASP.NET login controls work with ASP.NET membership and encapsulate the logic required to prompt users for credentials, validate users, recover or replace passwords, and so on. In effect, ASP.NET membership and ASP.NET login controls provide a layer of abstraction over forms authentication and replace most or all of the work you would normally have to do to use forms authentication. For more information, see Managing Users by Using Membership and the ASP.NET Login Controls Overview.

See Also

Concepts

ASP.NET Configuration Overview

Other Resources

ASP.NET Web Application Security
Forms Authentication Provider