Forms Authentication Control Flow
The flow of control for ASP.NET forms authentication is shown in the following table.
Browser and HTTP operation
Requests a protected resource from a server. The HTTP operation is:
If there is no authentication cookie, redirects the request to a logon page to collect credentials. Information about the originating page is placed in the query string using RETURNURL as the key. The server HTTP reply is:
302 Found Location: http://samples.microsoft.com/logon.aspx?RETURNURL=/default.aspx
Follows the redirection to the logon page. The HTTP operation is:
Returns the logon page. For security, we recommend that you use Secure Sockets Layer (SSL) for the logon page to keep the user's credentials from being sent in clear text. The server HTTP reply is:
After user enters credentials into the logon page, submits the page. The HTTP operation is:
Validates user credentials and, if the credentials are authenticated, redirects the browser to the original URL specified in the QueryString as the RETURNURL variable. By default, the authentication ticket is issued as a cookie.
You can specify that the authentication ticket be included in the URL instead of a cookie using the CookieMode property.
The server HTTP reply is:
302 Found Location: /default.aspx
Follows the redirection and requests the original resource again. The HTTP operation is:
If the user is authenticated, grants access and grants the authentication cookie, which contains an authentication ticket. Future requests by the same browser session will be authenticated when the module inspects the cookie. It is possible to create a persistent cookie that can be used for future sessions, but only until the cookie's expiration date. The server HTTP reply is:
200 OK Set-Cookie: ASPXTICKET=ABCDEFG12345;Path=/
Note that the cookie path is set to /. Because cookie names are case-sensitive, this prevents inconsistent case in URLs on the site. For example, if the path were set to /SavingsPlan and a link contained /savingsplan, the user would be forced to re-authenticate because the browser would not send the cookie.