Forms Authentication Control Flow
The flow of control for forms authentication is shown in the following table.
|1||Requests a protected resource from a server.||Redirects the request to a logon page to collect credentials if there is no authentication cookie. Information about the originating page is placed in the query string using RETURNURL as the key.
302 Found Location: https://samples.microsoft.com/logon.aspx?RETURNURL=/default.aspx
|2||Follows the redirection to the logon page.
|Returns the logon page. (Use Secure Sockets Layer (SSL) to keep the user's credentials from being sent in clear text, at least for the postback to the logon page.)
|3||User enters credentials into the logon form.
|Validates user credentials and, if the credentials are authenticated, redirects the browser to the original URL retrieved from the logon ticket. The authentication ticket is issued as a cookie.
302 Found Location: /default.aspx
|4||Follows the redirection and requests the original resource again.||Grants access if the user is authorized and grants the authentication cookie, which contains an authentication ticket. Future requests by the same browser session will be authenticated when the module inspects the cookie. It is possible to create a durable cookie that can be used for future sessions, but only until the cookie's expiration date.
200 OK Set-Cookie: ASPXTICKET=ABCDEFG12345;Path=/
Notice that the path is set to /. Because cookie names are case-sensitive, this helps protect against inconsistent case in URLs on the site. For example, if the path were set to /SavingsPlan and a link contained /savingsplan, the user would be forced to re-authenticate because the browser would not send the cookie.