Although the forms authentication process in ASP.NET was a simple process, the ASP.NET2 has simplified it further more. ASP.NET2 has removed all the mundane tasks that you used to perform to authenticate a user through form. It provides a number of Login controls that can reduce your effort to great extent. This article discusses the forms authentication using ASP.Net 2.0 and its implementation with the help of an application example.


Introduction:

Although the forms authentication process in ASP.NET was a simple process, the ASP.NET2 has simplified it further more. ASP.NET2 has removed all the mundane tasks that you used to perform to authenticate a user through form. It provides a number of Login controls that can reduce your effort to great extent. This article discusses the forms authentication using ASP.Net 2.0 and its implementation with the help of an application example.

Form Authentication Process:

The forms authentication in ASP.NET2 can be done as a standalone authentication or with the Membership and Roles Providers which have their own database schema.
In a highly simplified scenario, you need not even use a database and validate users against the set of credentials that can be stored in the Forms element itself, as shown in the code given below:



The form authentication system generates an authentication ticket when the users logs in. The system then uses the authentication ticket to track the users throughout their login session as they browse through the website. The form authentication ticket can be contained in a cookie when the cookies are allowed on the user’s browser or in a query string when cookieless forms authentication is used.

To perform form authentication, the IIS, the Membership API, and Login Web controls work together to create a user store. The Form authentication system uses the user store that contains user accounts and password to allow visitors to log into the site.

The form authentication in ASP.NET2 is done in two steps:

Step1: The users who visit a website are authenticated by IIS and are issued a Windows token, which is then passed to ASP.NET. The Windows token is issued on the basis of IIS metabase settings configured on the hosting server. If anonymous authentication is configured, then the Windows token for the IUSR_MACHINE account is generated, which is used to represent an anonymous user.

Note:
The IIS must be configured with anonymous authentication, if you want to perform forms authentication because forms authentication does not depend on IIS authentication.

Step 2: The ASP.NET uses the FormsAuthenticationModule class in web. Config file to check the mode attribute in the authentication method to find the authentication element configured, as shown in Code below:



FormsAuthenticationModule class further builds a GenericPrincipal object in the HTTP context to hold the reference of the currently authenticated user to a FormsIdentity instance.

Membership and Login Controls

The membership and login controls provide a layer of abstraction over the form authentication. The membership controls provides methods to authenticate users, store their information, and manage that information. The login controls on the other hand encapsulates all the functionality of logging in from obtaining user credentials to validating the credentials against the user store and storing the user details in a cookie if cookies are enabled in user’s browser.

ASP.NET2 uses FormsAuthentication class that provides a number of static methods to enable you to identify the users visiting your website with the help of a login form and manipulate authentication tickets.

Implement Form Authentication in an application

To implement form authentication, we will create three files, web.config, Logon.aspx, and Default. In this example, we assume that a user called Ted is configured to access a protected resource. The user name ‘Ted’ and the password ‘1234’ of Ted is hard coded in Logon.aspx file.

Creating the Web.config file:

The steps to configure web.config file to implement Form authentication is shown below:

1. Create a new ASP.NET website and open the Web.config file from the project, as shown in Figure 1.
If the web.config file does not already exist then create a text file and name it web.config file.
2. In the System.web section configure the authentication element by setting the mode attribute to Forms to specify that the Forms authentication method is used here.
3. Create a Forms element and configure the LoginURL to “Logon.aspx” which is the custom logon page of the application and Name element to “.ASPXFORMSAUTH” to set the suffix for the name of the cookie that contains the authentication ticket.
The user is redirected to the web page specified in the LogonURL if ASP.NET does not find an authentication cookie with the request.
4. Create an authorization element under the system.web element
5. Add deny element under the authorization element and set its users attribute to "?" to specify that unauthenticated users are not allowed to access this application, as shown in Figure1 below:
 



Creating the Logon.aspx:

In this example the Logon.aspx is the default page on which the user is redirected if the user could not be authenticated through a cookie. The page accepts the username and the password of the user and authenticates the user. In this example the user credentials are hard coded.

1. Add a new web form to the project ASP.NET page named Logon.aspx in the root folder of the application
2. Design your logon page by adding a table to it and by adding the page heading.
3. Drag 2 textboxes, UserName and Pass and drag a button and name it as Log On.
4. Include a Checkbox beneath the password textbox and assign the Checked property of the checkbox to “Persist” to allow the user to set the persistent or non persistent cookie for this option, as shown in the code below:



5. On Logon_Click, add the code as followed
The below given code will call the RedirectFromLoginPage method of FormsAuthentication class, if the user's credentials are correct. It will pass the UserName and the value of Remember Me check box to persist or not persist the authentication ticket as a cookie. The code then redirects the user to the authenticated page that user had requested originally.

If the user's credentials are not correct the page will display an error message.



The Logon page will appear, as show in Figure 2. Provide the user name and password as hardcode in the Logon.aspx file to view the user identity details specified in Default.aspx
 


Creating Default.aspx file:

The Default.aspx file contains the code to display the user identity. The Sign Out button calls the SignOut method, which clears the user identity and removes the authentication ticket (cookie). It then redirects the user to the logon page.



Conclusion:
This article described how the forms authentication works in ASP.NET2 and discussed about the forms authentication process in detail. It further discussed about the membership and login controls and explained forms authentication implementation with the help of an example.

[Download Sample]