Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
ASP.NET Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
Visual Studio 2008
Visual Studio
 Using Forms Authentication with ASP...

  Switch on low bandwidth view
This page is specific to
Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:
Using Forms Authentication with ASP.NET AJAX

You can use the Microsoft AJAX Library application authentication service to verify credentials that are stored as part of the ASP.NET membership service.

This topic shows how to call the application authentication service from the browser by using JavaScript.

You can access the authentication service from client script by using the AuthenticationService class, which supports the following methods:

  • login. This method validates the user credentials by using the default membership provider. If the credentials are verified, the method sends a forms authentication cookie to the browser. Most ASP.NET AJAX applications will use the login method, because forms-authenticated applications require an authentication cookie in the browser.

  • logout. This method clears the forms authentication cookie.

The server provides the infrastructure to process the identification credentials such as name and password from a user, and to validate those credentials. The forms authentication feature in ASP.NET enables you to authenticate the user's login name and password users by using a login form. If the application authenticates the request, the server issues a ticket that contains a key for reestablishing the user identity in subsequent requests.

The AuthenticationService class provides the JavaScript proxy class that you call from client script to communicate with the authentication service on the server.

NoteNote:

You can create your own server authentication service. For more information, see AuthenticationServiceManager.

To support authentication in client script, the server must be configured as described in the following sections.

For more information about authentication in ASP.NET, see How ASP.NET Security Works and Managing Users by Using Membership.

Enabling the Authentication Service

To use the authentication service from client script, you must explicitly enable the authentication service by using the following element in the application's Web.config file: 

<system.web.extensions>
  <scripting>
    <webServices>
      <authenticationService enabled="true" />
    </webServices>
  </scripting>
</system.web.extensions>

For more information, see How to: Configure ASP.NET Services in ASP.NET AJAX.

The authentication service requires forms authentication to be enabled. The following example shows how to enable forms authentication in the application's Web.config file. 

<system.web>
  <authentication mode="Forms">
    <forms cookieless="UseCookies" 
      loginUrl="~/login.aspx"/>
  </authentication>
<system.web>
NoteNote:

The browser must have cookies enabled. The authentication service uses a cookie for the authentication ticket that reestablishes the user's identity during subsequent requests.

Configuring Access to the Membership Database

By default, ASP.NET uses a SQL Server Express database to store membership information. The connection string for the database is defined in the Machine.config file and resembles the following: 

<connectionStrings>
  <add name="LocalSqlServer" 
  connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;
AttachDBFilename=|DataDirectory|aspnetdb.mdf;
User Instance=true" providerName="System.Data.SqlClient" />
</connectionStrings>

If you are using a different database for membership information, you can create a <connectionStrings> element in the application Web.config file that points to that database. For more information, see Configuring an ASP.NET Application to Use Membership.

Creating a Restricted Folder

If you want to limit access to information so that only logged-in users can access it, you create a restricted area of the site. This is typically a folder under the application root. To limit access to the restricted folder, you create a Web.config file in the restricted folder and add an <authorization> section to it. The following example shows the contents of a Web.config file that restricts access to only authenticated users. 

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="?"/>
      <allow users="*"/>
    </authorization>
  </system.web>
</configuration>

The following example shows an ASP.NET Web page that authenticates the user by using client script. The example requires that you have configured the server as described earlier in this topic. The name of the restricted folder is assumed to be Secured.

The page contains an <asp:ScriptManager> element. When this element is included on the page, the AuthenticationService object is automatically available to any client script on the page.

The page has a button with an associated event handler named OnClickLogin. Code in the method handler calls the login method of the AuthenticationService class.

After you are logged in, the button text changes and the text at the top of the page changes to indicate your logged-in status. Click the link at the bottom of the page to move to a page located in the Secured folder. Because you are now logged in, you can access pages in this folder without being redirected to the login page.

On the sample page, you can click a button to log out. This calls the OnClickLogout button event handler, which calls the logout method. After you have logged out, the text at the top of the page changes. If you try to access the page in the secured folder, you will be redirected to the login page, because your browser no longer has a forms authentication cookie.

The example code provides asynchronous completed callback functions for the login and logout methods. You can also create failure callback functions for both methods. For more information, see the example provided in the AuthenticationService class overview.

Visual Basic
<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html  >
<head id="Head1" runat="server">
    <title>Authentication Service</title>
    <style type="text/css">
        body {  font: 11pt Trebuchet MS;
                font-color: #000000;
                padding-top: 72px;
                text-align: center }

        .text { font: 8pt Trebuchet MS }
    </style>
</head>
<body>
      <form id="form1" runat="server">

        <asp:ScriptManager runat="server" ID="ScriptManagerId">
            <Scripts>
                <asp:ScriptReference Path="Authentication.js" />
            </Scripts>
        </asp:ScriptManager>

        <h2>Authentication Service</h2>

            <span id="loggedin" 
                style="visibility:hidden; color:Green; font-weight:bold; font-size:large" 
                visible="false"><b>You are logged in! </b>
            </span> 

            <span id="notloggedin" 
                style="visibility:visible;color:Red; font-weight:bold; font-size:large">
                You are logged out!    
                <br /> <br />
                <span style="font-weight:normal; font-size:medium; color:Black">
                    Please, use one of the following [username, password] 
                    combinations:<br />
                    [user1, u$er1] <br/>
                    [user2, u$er2] <br/> 
                    [user3, u$er3]   
                </span>   
            </span>


        <br /><br />
        <div>
        <table>
            <tr id="NameId"  style="visibility:visible;">
                <td style="background-color:Yellow; font-weight:bold; color:Red">
                    User Name:
                </td>
                <td>
                    <input type="text" id="username"/>
                </td> 
            </tr>
            <tr id="PwdId"  style="visibility:visible;">
               <td style="background-color:Yellow; font-weight:bold; color:Red">
                    Password:
                </td>
                <td>
                    <input type="password" id="password" />
                </td> 
            </tr>   
            <tr>
                <td colspan="2" align="center">
                    <button id="ButtonLogin"   
                        style="background-color:Aqua;"
                        onclick="OnClickLogin(); return false;">Login</button>
                    <button id="ButtonLogout"   
                        style="background-color:Aqua; visibility:hidden;"
                        onclick="OnClickLogout(); return false;">Logout</button>
                </td> 
            </tr>          
        </table>
        <br />
        <br />
        <a href="secured/Default.aspx" target="_top2" >
            Attempt to access a page 
            that requires authenticated users.</a>
        <br />
        <br />
        <!-- <a href="CreateNewUser.aspx"><b>Create a new user.</b></a>
        -->        
        </div>

   </form>

   <hr />

   <div id="FeedBackID" style="visibility:visible" />


</body>
</html>
C#
<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html  >
<head runat="server">
    <title>Authentication Service</title>
    <style type="text/css">
        body {  font: 11pt Trebuchet MS;
                font-color: #000000;
                padding-top: 72px;
                text-align: center }

        .text { font: 8pt Trebuchet MS }
    </style>
</head>
<body>
      <form id="form1" runat="server">

        <asp:ScriptManager runat="server" ID="ScriptManagerId">
            <Scripts>
                <asp:ScriptReference Path="Authentication.js" />
            </Scripts>
        </asp:ScriptManager>

        <h2>Authentication Service</h2>

            <span id="loggedin" 
                style="visibility:hidden; color:Green; font-weight:bold; font-size:large" 
                visible="false"><b>You are logged in! </b>
            </span> 

            <span id="notloggedin" 
                style="visibility:visible;color:Red; font-weight:bold; font-size:large">
                You are logged out!    
                <br /> <br />
                <span style="font-weight:normal; font-size:medium; color:Black">
                    Please, use one of the following [username, password] 
                    combinations:<br />
                    [user1, u$er1] <br/>
                    [user2, u$er2] <br/> 
                    [user3, u$er3]   
                </span>   
            </span>


        <br /><br />
        <div>
        <table>
            <tr id="NameId"  style="visibility:visible;">
                <td style="background-color:Yellow; font-weight:bold; color:Red">
                    User Name:
                </td>
                <td>
                    <input type="text" id="username"/>
                </td> 
            </tr>
            <tr id="PwdId"  style="visibility:visible;">
               <td style="background-color:Yellow; font-weight:bold; color:Red">
                    Password:
                </td>
                <td>
                    <input type="password" id="password" />
                </td> 
            </tr>   
            <tr>
                <td colspan="2" align="center">
                    <button id="ButtonLogin"   
                        style="background-color:Aqua;"
                        onclick="OnClickLogin(); return false;">Login</button>
                    <button id="ButtonLogout"   
                        style="background-color:Aqua; visibility:hidden;"
                        onclick="OnClickLogout(); return false;">Logout</button>
                </td> 
            </tr>          
        </table>
        <br />
        <br />
        <a href="secured/Default.aspx" target="_top2" >
            Attempt to access a page 
            that requires authenticated users.</a>
        <br />
        <br />
        <!-- <a href="CreateNewUser.aspx"><b>Create a new user.</b></a>
        -->        
        </div>

   </form>

   <hr />

   <div id="FeedBackID" style="visibility:visible" />


</body>
</html>
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker