How to Implement Forms Authentication Provider in .NET

.NET supports three different authentication providers namely Windows Authentication Provider, Forms Authentication Provider and Passport Authentication Provider. Out of these three providers, Forms Authentication Provider provides more freedom to the developers. Windows Authentication and Passport Authentication have predefined set of users and login controls available.

Only those credentials can be used and no additional User related details can be recorded. But when using Forms Authentication Provider, you are the Owner. You can design your own screen, add as many User specific details you require and you can store User credentials either in a file or database or any other storage media as you prefer. Moreover, Forms Authentication Provider works with any browser without including any additional browser specific code in your application.

After reading this step-by-step procedure below, you will be confident enough in implementing Forms Authentication Provider in your application.

Configure Forms Authentication in Your Application

How will your application know which Authentication Provider to use? This is based on an entry in web.config file. If your application uses Forms Authentication Provider, then web.config file should include:

<authentication mode=”Forms”></authentication>

Within this authentication tag, you can specify form configuration options which will in turn override the default settings of machine.config file. Few such configuration options are mentioned below:

<authentication mode=”Forms”>
<forms name=”FormAuthenticationCookie”

Configure IIS to Permit Anonymous Users

Ensure that IIS permits anonymous users who are then validated based on the user credentials they enter in your login page.

Restrict Anonymous Users in Your Application

Since anonymous users are permitted by IIS, if they are not restricted in your application then security cannot be ensured. Hence, deny access to anonymous users and redirect them to the login page you have created. If they have valid credentials, then their cookie will be generated and they can access the requested page. You can deny access to anonymous users by including the following lines inside <system.web> of web.config file:

<deny users=”?”>

The wild card character “?” will recognize all anonymous users and deny access to them.

Create Login Screen

Anonymous User will now be redirected to the Login Screen you have created. While designing login screen use validation controls to ensure validity of user credentials. For example, use validation controls to ensure that user enters only characters A to Z, a to z, numerals 0 to 9 in txtUser textbox.

Write Authentication Code for Login

Assume that you have two textboxes txtUser, txtPwd and a button named LoginButton in your login screen. Write the following piece of code inside the click event of LoginButton.

Page.Validate( );
bool isLoginAuthenticated = FormsAuthentication.Authenticate(txtUser.Text, txtPwd.Text);
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, false);
{“Invalid User Credentials”);

This block of code will validate the user. If the User credentials are valid then the User is redirected to the requested page. If not, appropriate error message is thrown. If the first two lines of code are not included then validation will not happen if javascript is not enabled or supported by your browser. Authenticate method returns true if the user credentials are valid. RedirectFromLoginPage creates the cookie, associates it with the HTTPResponse and redirects the User to the requested page.

The cookie that gets created can either be persistent or non-persistent. Non-persistent cookies are removed when user closes your application browser or wheen timeout occurs. Persistent Cookies will maintain user information across multiple visits. The above example creates a non-perssistent cookie. To create persistent cookie, the second argument of the method RedirectFromLoginPage must be set to true:
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, true);

Store User Credentials

You can store User credentials in web.config file or in a database. If your application has more number of users and additional information about the User has to be maintained, then database storage will be the right solution. Moreover, when data is stored in web.config file, it is not secure. The above example (Login Button’s click event code) assumes that User Credentials are stored in web.config file.

Write Code for Logout Operation

When you are using Forms Authentication, logout can happen using a single line of code: FormsAuthentication.SignOut(). Include this line inside the click event of logout button. Non-persistent cookies expire when timeout reaches or when the browser is closed. But persistent cookies expire only when this method is called.

The advantage of Form Authentication discussed earlier in this article is its disadvantage as well. Other providers have a predefined login module but here you have to develop one. Though this is advantageous, you have additional work compared to using other providers.

The additional work is in terms of developing of your own login module and ensuring security of data across networks and while storage. However, this work overhead can be reduced to an extent by using Membership API which provides a pre-defined login module along with the storage facility in SQL Server. Consider this work overhead when you are making decision on using Forms Authentication Provider for your application.

| Understanding ASP.NET Page Lifecycle | Exploring Different Stages of Memory Management in .NET | How to Implement Forms Authentication Provider in .NET | How to Implement Toolbox Support in .NET? | How to Read and Write Files with Streams in ASP.NET? | How to Use a Custom Web Control in VS.NET? | Implementing .NET Passport Authentication in Web Applications Using Passport Authentication Provider | Using Atlas Architecture in ASP.NET |


“Amazon and the Amazon logo are trademarks of, Inc. or its affiliates.”

| Privacy Policy for | Disclosure | Contact |

Copyright - © 2004 - 2024 - All Rights Reserved.