This documentation is archived and is not being maintained.

Using the FormsAuthenticationModule Class

The FormsAuthenticationModule class exposes cookies-based authentication services to ASP.NET applications. The module allows you to optionally handle a FormsAuthentication_OnAuthentication event during the authentication process.

You must provide a logon URL that collects and authenticates credentials. If the credentials are valid, you can rely upon the provided helper utilities to redirect the request to the originally requested resource with an appropriate authentication ticket. Alternatively, you can simply get the cookie or set it, if you do not want the redirection.

In the simplest case, you can just configure a logon URL to redirect unauthenticated requests to a page, supply a minimal implementation of that file customized from an example page, and supply valid credential pairs, either in the Web.config file or in a separate file. The following code example shows how this might be handled in an ASP.NET configuration file. The passwords have been encrypted.

// Web.config file
<authentication mode="Forms">
   <forms name="SavingsPlan" loginUrl="/logon.aspx">
      <credentials passwordFormat="SHA1">
         <user name="Kim"
         <user name="John"

The FormsAuthenticationModule is configured by the <forms> element in a Machine.config or Web.config configuration file. For details on the attributes and subtags that are valid for this element, see the <forms> element documentation.

You can programmatically read the identity of the Forms authenticated user as shown in the following example.

Dim authUser As String = Request.ServerVariables("AUTH_USER")
Dim authUser2 As String = User.Identity.Name
String authUser = Request.ServerVariables["AUTH_USER"];
String authUser2 = User.Identity.Name;

See Also

ASP.NET Web Application Security | Forms Authentication Provider | ASP.NET Configuration | FormsAuthenticationModule