How to Implement Forms Authentication Provider in .NET
.NET supports three different authentication providers namely Windows Authentication Provider, Forms Authentication Provider and Passport Authentication Provider. Out of these three providers, Forms Authentication Provider provides more freedom to the developers. Windows Authentication and Passport Authentication have predefined set of users and login controls available.
Only those credentials can be used and no additional User related details can be recorded. But when using Forms Authentication Provider, you are the Owner. You can design your own screen, add as many User specific details you require and you can store User credentials either in a file or database or any other storage media as you prefer. Moreover, Forms Authentication Provider works with any browser without including any additional browser specific code in your application.
After reading this step-by-step procedure below, you will be confident enough in implementing Forms Authentication Provider in your application.
Configure Forms Authentication in Your Application
How will your application know which Authentication Provider to use? This is based on an entry in web.config file. If your application uses Forms Authentication Provider, then web.config file should include:
Within this authentication tag, you can specify form configuration options which will in turn override the default settings of machine.config file. Few such configuration options are mentioned below:
Configure IIS to Permit Anonymous Users
Ensure that IIS permits anonymous users who are then validated based on the user credentials they enter in your login page.
Restrict Anonymous Users in Your Application
Since anonymous users are permitted by IIS, if they are not restricted in your application then security cannot be ensured. Hence, deny access to anonymous users and redirect them to the login page you have created. If they have valid credentials, then their cookie will be generated and they can access the requested page. You can deny access to anonymous users by including the following lines inside <system.web> of web.config file:
The wild card character ? will recognize all anonymous users and deny access to them.
Create Login Screen
Anonymous User will now be redirected to the Login Screen you have created. While designing login screen use validation controls to ensure validity of user credentials. For example, use validation controls to ensure that user enters only characters A to Z, a to z, numerals 0 to 9 in txtUser textbox.
Write Authentication Code for Login
Assume that you have two textboxes txtUser, txtPwd and a button named LoginButton in your login screen. Write the following piece of code inside the click event of LoginButton.
that gets created can either be persistent or non-persistent. Non-persistent
cookies are removed when user closes your application browser or wheen
timeout occurs. Persistent Cookies will maintain user information across
multiple visits. The above example creates a non-perssistent cookie. To
create persistent cookie, the second argument of the method RedirectFromLoginPage
must be set to true:
Store User Credentials
You can store User credentials in web.config file or in a database. If your application has more number of users and additional information about the User has to be maintained, then database storage will be the right solution. Moreover, when data is stored in web.config file, it is not secure. The above example (Login Buttons click event code) assumes that User Credentials are stored in web.config file.
Write Code for Logout Operation
When you are using Forms Authentication, logout can happen using a single line of code: FormsAuthentication.SignOut(). Include this line inside the click event of logout button. Non-persistent cookies expire when timeout reaches or when the browser is closed. But persistent cookies expire only when this method is called.
The advantage of Form Authentication discussed earlier in this article is its disadvantage as well. Other providers have a predefined login module but here you have to develop one. Though this is advantageous, you have additional work compared to using other providers.
The additional work is in terms of developing of your own login module and ensuring security of data across networks and while storage. However, this work overhead can be reduced to an extent by using Membership API which provides a pre-defined login module along with the storage facility in SQL Server. Consider this work overhead when you are making decision on using Forms Authentication Provider for your application.
to our mailing list and receive new articles Note
: We never rent, trade, or sell my email lists to Visit
.NET Programming Tutorial Homepage ______________________________________________________
to our mailing list and receive new articles
: We never rent, trade, or sell my email lists to
Visit .NET Programming Tutorial Homepage
| Understanding ASP.NET Page Lifecycle | Exploring Different Stages of Memory Management in .NET | How to Implement Forms Authentication Provider in .NET | How to Implement Toolbox Support in .NET? | How to Read and Write Files with Streams in ASP.NET? | How to Use a Custom Web Control in VS.NET? | Implementing .NET Passport Authentication in Web Applications Using Passport Authentication Provider | Using Atlas Architecture in ASP.NET |