ASP.Net Form Based Authentication

ASP Free Forums Sponsor:

August 2nd, 2004, 10:33 AM

sivakumar.k

Registered User

Join Date: Jun 2004

Posts: 4

Time spent in forums: < 1 sec
Reputation Power: 0

ASP.Net Form Based Authentication

ASP.Net Form Based Authentication

by Sivakumar Kannaiyan

Authentication

It is a process of uniquely identifying a user who visits a website. In this, user’s identity is verified with an existing data store. The data store can be a RDBMS, an XML file , a Windows Active Directory or any other data storage medium. The reason for authenticating a user varies from simply customising the page with user’s preferred contents, page colours, fonts etc. to providing restricted access to some valuable resources.

Authorization

Though most of the web sites provide anonymous access to the users to view the contents of the site, in some scenarios it is required to provide restricted access to some contents. Authourisation is mostly done for securing the data from wrong hands. Sites providing paid services may want to restrict the ordinary users to use only some free services and allow the users who have registered for the paid service to have access to those services. Authourisation provides a way for the applications to decide which user should be allowed to access which resource and how.

Authentication Modes used by ASP.Net

Authentication mode is set in the Web.config file in an ASP.Net application. There are four authentication mode supported by the ASP.Net.

Form

Form based authentication is a less secured authentication as the authentication information is set in the client machine in the form of cookies. It is mostly used to remember a user and for page customization purposes. It is not advised to use form based authentication where high security is needed.

Windows

Windows authentication is a secured one. It is mostly used in intranet applications. In windows authentication the users’ windows login name is used as the authentication id. This is the default authentication mode used by ASP.Net

Passport

Microsoft provides an authentication service for authenticating users in a site. For this the site provider needs to register with Microsoft passport service. Some special components need to be installed in order to support this. The user registered with the .Net Passport enabled site can use that login information for logging into other Passport enabled sites. The user information will be shared by these sites using the Microsoft Passport services,

None

No authentication is done. Applications have to have customized authentication code in the application if needed.

In this article I would like to give a brief idea about implementing forms based authentication in an ASP.Net application. For implementing forms based authentication you need to alter the default authentication setting in the Web.config file and you will need a login page where the user will be redirected for authentication when they access any of the pages in the site.

Web.config

In Web.config you can find a <Authentication> section with default mode set to Windows. Alter the section as follows

<authenticationmode="Forms">

<formsname="name of the Cookie"loginUrl="URL of the Login page"protection="All"timeout="Session Timeout period in minutes"path="/"requireSSL="false | true"slidingExpiration="false |true">

<credentialspasswordFormat="Clear | MD5 | SHA1">

<username="Username1"password="password1"/>

<username="Username2"password="password2"/>

</credentials>

</forms>

</authentication>

Login page

With the methods available in System.Web.Security.FormsAuthenticationclass code needed for implementing forms authentication is very less.

If the user’s credentials are stored in the Web.config files <Credentials> section as shown in the previous <Authentication> section the code will be something similar to this,

C# Code Example:-

if(FormsAuthentication.Authenticate(UserName,Passw ord))

FormsAuthentication.RedirectFromLoginPage(UserName ,toBePersisted);

If the user’s credentials are stored in a separate data store, then do the necessary verification with the user name and password and call the method

FormsAuthentication.RedirectFromLoginPage(UserName ,toBePersisted);

The user will be redirected to the page which he originally requested. The FormsAuthentication.RedirectFromLoginPage method takestwo arguments, one is a string username and a Boolean value indicating whether the user name and password entered by the user should be remembered on the computer so that next time when he visits the site no need to login again.

In Web.config <credentials> section if you want to use encoded passwords they should be done manually. For hashing the password in any of the password hash algorithm use FormsAuthentication.HashPasswordForStoringInConfig File method and paste the return value of the method in the password attribute of the <user> tag in the credential section.

About the Author: Sivakumar Kannaiyan is a Project Leader at InfoBeans Systems India Private Ltd., Indore. He has been teaching and programming in C, C++, Java and Microsoft technologies for the past 3 years. Sivakumar’s background includes a bachelor degree in Mechanical Engineering

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: