|
Drill Down on Forms Authentication
ASP.NET 2.0 provides a rich set of functionality for implementing forms authentication in your applications. Handling this inside your application with ASP.NET rather than through more traditional Windows authentication methods can make your applications considerably more flexible.
by Matthew MacDonald and Mario Szpuszta
January 27, 2006
Technology Toolbox: C#, ASP.NET
A key aspect of security in ASP.NET is forms authentication.
Taking advantage of forms authentication requires that you have your own authentication infrastructure with a custom login page that validates a user name and password against a custom store such as your own database. This infrastructure then establishes the security context on each request again (in many cases such systems work based on cookies).
Fortunately, ASP.NET includes a complete infrastructure for implementing such systems. ASP.NET handles the cookies and establishes the security context on each request for you. This infrastructure is called forms authentication, and you'll learn how it works in this chapter.
Forms authentication is a ticket-based (also called token-based) system. This means users who log in receive a ticket with basic user information. This information is stored in an encrypted cookie that's attached to the response, so it's automatically submitted on each subsequent request.
When a user requests an ASP.NET page that isn't available for anonymous users, the ASP.NET runtime verifies whether the forms authentication ticket is available. If it's not available, ASP.NET redirects the user to a login page automatically. At that point, it's your turn. You have to create the login page and validate the credentials within this page. If the user is validated successfully, you tell the ASP.NET infrastructure about the success (by calling a method of the FormsAuthentication class), and the runtime sets the authentication cookie (which contains the ticket) automatically and redirects the user to the page requested originally. With this request, the runtime detects that the authentication cookie with the ticket is available and grants access to the page.
You implement forms authentication entirely within ASP.NET, so you have complete control over how authentication is performed. You don't need to rely on any external systems, as you do with Windows or Passport authentication. You can also customize the behavior of forms authentication to suit your needs. You have the same degree of control over the appearance of forms authentication as you do over its functionality. In other words, you can format the login form in any way you like. This flexibility in appearance isn't available in the other authentication methods. Windows authentication needs the browser to collect credentials, and Passport authentication requires that users leave your Web site and visit the Passport site to enter their credentials.
Forms authentication uses standard HTML as its user interface, so all browsers can handle it. Because you can format the login form in any way you like, you can even use forms authentication with browsers that do not use HTML, such as those on mobile devices. To do this, you need to detect the browser being used and provide a form in the correct format for the device (such as WML for mobile phones). Note that forms authentication uses standard HTML forms for collecting and submitting the user's credentials. Therefore, you must use SSL to encrypt and transmit the user's credentials securely. If you don't use SSL, the information is transmitted as clear text in the postback data in the request to the server.
Store User Information
Forms authentication stores users in the web.config file by default, but you can store the information anywhere you like. You just need to create the code that accesses the data store and retrieves the required information. A common approach is to store the user information in a custom database. ASP.NET's flexible storage options for user information enable you to control how you create and administer user accounts. It also lets you attach additional information to user accounts.
I've mentioned that forms authentication gives you substantial control over the interface that users use to log into your Web application. This approach has benefits, but also creates some extra work because you have to build the login page. Other forms of authentication supply some prebuilt portions. For example, if you're using Windows authentication, the browser provides a standard dialog box. In Passport authentication, the user interface of the Passport site is always used for logging in.
Back to top
|