Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Forms Authentication Control Flow

Forms Authentication Control Flow

The flow of control for ASP.NET forms authentication is shown in the following table.

Browser and HTTP operation

Server reply

Requests a protected resource from a server. The HTTP operation is:

GET /default.aspx

If there is no authentication cookie, redirects the request to a logon page to collect credentials. Information about the originating page is placed in the query string using RETURNURL as the key. The server HTTP reply is:

302 Found
Location: http://samples.microsoft.com/logon.aspx?RETURNURL=/default.aspx

Follows the redirection to the logon page. The HTTP operation is:

GET /logon.aspx?RETURNURL=/default.aspx

Returns the logon page. For security, we recommend that you use Secure Sockets Layer (SSL) for the logon page to keep the user's credentials from being sent in clear text. The server HTTP reply is:

200 OK

After user enters credentials into the logon page, submits the page. The HTTP operation is:

POST /logon.aspx?RETURNURL=/default.aspx

Validates user credentials and, if the credentials are authenticated, redirects the browser to the original URL specified in the QueryString as the RETURNURL variable. By default, the authentication ticket is issued as a cookie.

You can specify that the authentication ticket be included in the URL instead of a cookie using the CookieMode property.

The server HTTP reply is:

302 Found
Location: /default.aspx

Follows the redirection and requests the original resource again. The HTTP operation is:

GET /default.aspx

If the user is authenticated, grants access and grants the authentication cookie, which contains an authentication ticket. Future requests by the same browser session will be authenticated when the module inspects the cookie. It is possible to create a persistent cookie that can be used for future sessions, but only until the cookie's expiration date. The server HTTP reply is:

200 OK
Set-Cookie: ASPXTICKET=ABCDEFG12345;Path=/

Note that the cookie path is set to /. Because cookie names are case-sensitive, this prevents inconsistent case in URLs on the site. For example, if the path were set to /SavingsPlan and a link contained /savingsplan, the user would be forced to re-authenticate because the browser would not send the cookie.

Community Additions

© 2015 Microsoft