Forms Authentication Control Flow

The flow of control for forms authentication is shown in the following table.

Step Browser Server reply
1 Requests a protected resource from a server.
GET /default.aspx
Redirects the request to a logon page to collect credentials if there is no authentication cookie. Information about the originating page is placed in the query string using RETURNURL as the key.
302 Found
2 Follows the redirection to the logon page.
GET /logon.aspx?RETURNURL=/default.aspx
Returns the logon page. (Use Secure Sockets Layer (SSL) to keep the user's credentials from being sent in clear text, at least for the postback to the logon page.)
200 OK
3 User enters credentials into the logon form.
POST /logon.aspx?RETURNURL=/default.aspx
Validates user credentials and, if the credentials are authenticated, redirects the browser to the original URL retrieved from the logon ticket. The authentication ticket is issued as a cookie.
302 Found
Location: /default.aspx
4 Follows the redirection and requests the original resource again.
GET /default.aspx
Grants access if the user is authorized and grants the authentication cookie, which contains an authentication ticket. Future requests by the same browser session will be authenticated when the module inspects the cookie. It is possible to create a durable cookie that can be used for future sessions, but only until the cookie's expiration date.
200 OK
Set-Cookie: ASPXTICKET=ABCDEFG12345;Path=/

Notice that the path is set to /. Because cookie names are case-sensitive, this helps protect against inconsistent case in URLs on the site. For example, if the path were set to /SavingsPlan and a link contained /savingsplan, the user would be forced to re-authenticate because the browser would not send the cookie.

See Also

ASP.NET Web Application Security | Forms Authentication Provider