|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
ASP.NET Forms Authentication Overview
Forms authentication provides you with a way to authenticate users using your own code and then maintain an authentication token in a cookie or in the page URL. Forms authentication participates in the ASP.NET page life cycle through the. You can access forms authentication information and capabilities through the class.
To use forms authentication, you create a logon page that collects credentials from the user and that includes code to authenticate the credentials. If the credentials are valid, you can call methods of the FormsAuthentication class to redirect the request to the originally requested resource with an appropriate authentication ticket (cookie). If you do not want the redirection, you can simply get the forms authentication cookie or set it.
You configure forms authentication using the authentication configuration element. In the simplest case, you can specify a URL to redirect unauthenticated requests to a logon page, supply a minimal implementation of a logon page, and supply valid credentials, either in the Web.config file or in a separate file. The following example shows a section from a configuration file that specifies a logon page and authentication credentials for the method. The passwords have been encrypted using the method.
<authentication mode="Forms"> <forms name="SavingsPlan" loginUrl="/Logon.aspx"> <credentials passwordFormat="SHA1"> <user name="Kim" password="07B7F3EE06F278DB966BE960E7CBBD103DF30CA6"/> <user name="John" password="BA56E5E0366D003E98EA1C7F04ABF8FCB3753889"/> </credentials> </forms> </authentication>
After successful authentication, the FormsAuthenticationModule module populates the currentproperty with the information for the authenticated user. The following code example shows how to programmatically read the identity of the forms-authenticated user.
Forms Authentication, ASP.NET Membership, and Login Controls
A convenient way to work with forms authentication is to use ASP.NET membership and ASP.NET login controls. ASP.NET membership provides a way to store and manage user information and includes methods to authenticate users. ASP.NET login controls work with ASP.NET membership and encapsulate the logic required to prompt users for credentials, validate users, recover or replace passwords, and so on. In effect, ASP.NET membership and ASP.NET login controls provide a layer of abstraction over forms authentication and replace most or all of the work you would normally have to do to use forms authentication. For more information, seeand the .