Forms Authentication Utilities

To manage forms authentication, you can use static methods of the FormsAuthentication class. The following table lists the methods.




Attempts to validate the credentials from the configured credential store, given the supplied credentials.


Returns an instance of the FormsAuthenticationTicket class, given an encrypted authentication ticket obtained from an HTTP cookie.


Given a FormsAuthenticationTicket, produces a string containing an encrypted authentication ticket suitable for use in an HTTP cookie.


Retrieves an encrypted authentication cookie as an HttpCookie instance. The cookie is not added to the Cookies collection.


Returns the redirection URL for the request that caused the redirect to the logon page.


Given a password and a string identifying the hash type, produces a hash password suitable for storing in a configuration file.


Initializes the FormsAuthentication class by reading configuration settings and getting the cookie values and encryption values for the current application.


Redirects an authenticated user to the originally requested URL.


Updates the sliding expiration on a FormsAuthenticationTicket.


Creates an authentication ticket and attaches it to the cookie collection of the outgoing response.


Removes the authentication ticket by setting the authentication cookie or URL text to an empty value. This removes both durable and session cookies.

Important note Important

Although the SignOut method clears the ticket from the authenticated browser session, your application can still be susceptible to a replay attack from an unwanted source that has "sniffed" an authentication ticket. For information on mitigating against a replay attack with forms authentication, see SignOut.

The following table lists helpful properties for managing forms authentication tickets.




Gets the cookie name for the current application.


Gets the cookie path for the current application.


Gets a value that indicates whether the application is configured to support cookieless forms authentication.


Gets a value that indicates whether the application is configured for cookieless forms authentication.


Gets the value of the domain of the forms authentication cookie.


Gets the URL that forms authentication will redirect to if no redirect URL is specified.


Gets the URL for the logon page that forms authentication will redirect to.


Gets a value indicating whether cookies must be transmitted using Secure Sockets Layer (SSL).


Gets a value indicating whether sliding expiration is enabled.


Gets a value indicating whether authenticated users can be redirected to URLs in other Web applications when the forms authentication ticket is not stored in a cookie.

You can use the methods of the FormsAuthentication class to customize the way forms authentication works. You can also use them in the logon page handler to avoid having to explicitly code the redirection. The following code example shows an ASP.NET Web page that authenticates the user and redirects to the requested page.

<script language="VB" runat=server>
    Sub SubmitBtn_Click(Source As Object, e As EventArgs)
        ' Try to authenticate credentials supplied by user.
        If FormsAuthentication.Authenticate _
                (UserName.Value, UserPassword.Value) Then
            Dim ticket As New FormsAuthenticationTicket _
                (UserName.Value, False, 5000)
            FormsAuthentication.RedirectFromLoginPage _
                (UserName.Value, Persist.Checked)
        End If
    End Sub

<form method=post runat=server>
            <td><input type="text" id="UserName" runat=server/>
            <td><input type="password" id="UserPassword" runat=server/>
    <input type="checkbox" id="Persist" runat=server/>
    <!-- Use persistent cookie -->
    <input type="submit" OnServerClick="SubmitBtn_Click" runat=server/>

Applications that need detailed control over the HTTP cookie properties can construct the ticket and perform the redirection in custom code. In those cases, you should use encryption methods of the FormsAuthentication class to encrypt the authentication ticket.