FormsAuthentication Class (System.Web.Security)

Switch View

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:

.NET Framework Class Library

FormsAuthentication Class

Manages forms-authentication services for Web applications. This class cannot be inherited.

Namespace: System.Web.Security
Assembly: System.Web (in System.Web.dll)

Syntax

Visual Basic (Declaration)

<AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level := AspNetHostingPermissionLevel.Minimal)> _
Public NotInheritable Class FormsAuthentication

Visual Basic (Usage)

Dim instance As FormsAuthentication

[AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public sealed class FormsAuthentication

Visual C++

[AspNetHostingPermissionAttribute(SecurityAction::LinkDemand, Level = AspNetHostingPermissionLevel::Minimal)]
public ref class FormsAuthentication sealed

JScript

public final class FormsAuthentication

Remarks

Forms authentication enables user and password validation for Web applications that do not require Windows authentication. With forms authentication, user information is stored in an external data source, such as a Membership database, or in the configuration file for an application. Once a user is authenticated, forms authentication maintains an authentication ticket in a cookie or in the URL so that an authenticated user does not need to supply credentials with each request.

Forms authentication is enabled by setting the mode attribute of the authentication configuration element to Forms. You can require that all requests to an application contain a valid user authentication ticket by using the authorization configuration element to deny the request of any unknown user, as shown in the following example.

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="login.aspx" />
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>

In the previous example, any request for an ASP.NET page that is part of the application requires a valid user name that is supplied by forms authentication. If no user name exists, then the request is redirected to the configured LoginUrl.

The FormsAuthentication class provides access to methods and properties that you can use in an application that authenticates users. The RedirectToLoginPage method redirects a browser to the configured LoginUrl for users to log into an application. The RedirectFromLoginPage method redirects an authenticated user back to the original protected URL that was requested or to the DefaultUrl. There are also methods that enable you to manage forms-authentication tickets, if needed.

Topic	Location
How to: Create an ASP.NET Login Page	Building ASP .NET Web Applications
How to: Create an ASP.NET Login Page	Building ASP .NET Web Applications
How to: Create an ASP.NET Login Page	Building ASP .NET Web Applications in Visual Studio
How to: Create an ASP.NET Login Page	Building ASP .NET Web Applications in Visual Studio
How to: Implement Simple Forms Authentication	Building ASP .NET Web Applications
How to: Implement Simple Forms Authentication	Building ASP .NET Web Applications
How to: Implement Simple Forms Authentication	Building ASP .NET Web Applications in Visual Studio
How to: Implement Simple Forms Authentication	Building ASP .NET Web Applications in Visual Studio
How to: Use Advanced Features of the ASP.NET Login Control	Building ASP .NET Web Applications
How to: Use Advanced Features of the ASP.NET Login Control	Building ASP .NET Web Applications
How to: Use Advanced Features of the ASP.NET Login Control	Building ASP .NET Web Applications in Visual Studio
How to: Use Advanced Features of the ASP.NET Login Control	Building ASP .NET Web Applications in Visual Studio
Walkthrough: Creating a Web Site with Membership and User Login	Building Applications with Visual Web Developer
Walkthrough: Creating a Web Site with Membership and User Login	Building ASP .NET Web Applications in Visual Studio
Walkthrough: Creating a Web Site with Membership and User Login (Visual Studio)	Building ASP .NET Web Applications in Visual Studio

Examples

The following code example shows the Web.config file for an ASP.NET application that uses the ASP.NET membership provider for forms authentication and requires all users to be authenticated.

<configuration>
  <connectionStrings>
    <add name="SqlServices" connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial Catalog=aspnetdb;" />
  </connectionStrings>
  <system.web>
    <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
      <providers>
        <add name="SqlProvider"
          type="System.Web.Security.SqlMembershipProvider"
          connectionStringName="SqlServices"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="true"
          passwordFormat="Hashed"
          applicationName="/" />
      </providers>
    </membership>
  </system.web>
</configuration>

The following code example shows the login page for an ASP.NET application that uses forms authentication and ASP.NET membership.

Security Note:
This example contains a text box that accepts user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.

Visual Basic

<%@ Page Language="VB" %>
<%@ Import Namespace="System.Web.Security" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

Public Sub Login_OnClick(sender As Object, args As  EventArgs)

   If (Membership.ValidateUser(UsernameTextbox.Text, PasswordTextbox.Text)) Then
      FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked)
   Else
     Msg.Text = "Login failed. Please check your user name and password and try again."
   End If

End Sub

</script>

<html  >
<head>
  <title>Login</title>
</head>
<body>

<form id="form1" runat="server">
  <h3>Login</h3>

  <asp:Label id="Msg" ForeColor="maroon" runat="server" /><br />

  Username: <asp:Textbox id="UsernameTextbox" runat="server" /><br />
  Password: <asp:Textbox id="PasswordTextbox" runat="server" TextMode="Password" /><br />

  <asp:Button id="LoginButton" Text="Login" OnClick="Login_OnClick" runat="server" />
  <asp:CheckBox id="NotPublicCheckBox" runat="server" /> 
  Check here if this is <span style="text-decoration:underline">not</span> a public computer.

</form>

</body>
</html>

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

public void Login_OnClick(object sender, EventArgs args)
{
   if (Membership.ValidateUser(UsernameTextbox.Text, PasswordTextbox.Text))
      FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked);
   else
     Msg.Text = "Login failed. Please check your user name and password and try again.";
}


</script>

<html  >
<head>
  <title>Login</title>
</head>
<body>

<form id="form1" runat="server">
  <h3>Login</h3>

  <asp:Label id="Msg" ForeColor="maroon" runat="server" /><br />

  Username: <asp:Textbox id="UsernameTextbox" runat="server" /><br />
  Password: <asp:Textbox id="PasswordTextbox" runat="server" TextMode="Password" /><br />

  <asp:Button id="LoginButton" Text="Login" OnClick="Login_OnClick" runat="server" />
  <asp:CheckBox id="NotPublicCheckBox" runat="server" /> 
  Check here if this is <span style="text-decoration:underline">not</span> a public computer.

</form>

</body>
</html>

.NET Framework Security

AspNetHostingPermission
To use the FormsAuthentication class in a hosted environment. Demand value: LinkDemand. Permission value: Minimal.

Inheritance Hierarchy

System..::.Object
System.Web.Security..::.FormsAuthentication

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Platforms

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Version Information

.NET Framework

Supported in: 3.5, 3.0, 2.0, 1.1, 1.0

Reference

FormsAuthentication Members

System.Web.Security Namespace

Other Resources

Forms Authentication Provider