4 February 2014

Forms Authentication

                  Forms authentication uses an authentication ticket that is created when a user logs on to a site, and then it tracks the user throughout the site. The forms authentication ticket is usually contained inside a cookie.

                 However, ASP.NET version 2.0 supports cookie-less forms authentication, which results in the ticket being passed in a query string. If the user requests a page that requires authenticated access and that user has not previously logged on to the site, then the user is redirected to a configured logon page.

                 The logon page prompts the user to supply credentials, typically a user name and password.  These credentials are then passed to the server and validated against a user store, such as a SQL Server database.

                 In ASP.NET 2.0, user-store access can be handled by a membership provider. After the user's credentials are authenticated, the user is redirected to the originally requested page. Forms authentication processing is handled by the forms authentication module class, which is an HTTP module that participates in the regular ASP.net page processing cycle
      

IIS Authentication:


                ASP.NET authentication is a two-step process. First, Internet Information Services (IIS) authenticates the user and creates a Windows token to represent the user. IIS determines the authentication mode that it should use for a particular application by looking at IIS metabase settings.
   
                If IIS is configured to use anonymous authentication, a token for the IUSR_MACHINE account is generated and used to represent the anonymous user. IIS-then passes the token to ASP.NET. 

               The authentication method used is specified by the mode attribute of the authentication element. The following authentication configuration specifies that ASP.NET uses the Forms Authentication Module class:

<authentication mode="Forms" />
 
Note   Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.

Configuring of Forms authentication

The default attribute values for forms authentication are shown in the following configuration-file fragment.
<system.web>
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx"
          Protection="All"
           Timeout="30"
           Name=".ASPXAUTH"
           Path="/"
           RequireSSL="false"
           Sliding Expiration="true"
           DefaultUrl="default.aspx"
           Cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
  </authentication>
</system.web>

Description of the attributes used in above snippet
 
·         Login Url: points to your application's custom logon page. You should place the logon page in a folder that requires Secure Sockets Layer (SSL). This helps ensure the integrity of the credentials when they are passed from the browser to the Web server.

·         Protection: is set to All to specify privacy and integrity for the forms authentication ticket. This causes the authentication ticket to be encrypted using the algorithm specified on the machine Key element, and to be signed using the hashing algorithm that is also specified on the machine Key element.

·         Timeout: is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.

·         Name and Path are set to the values defined in the application's configuration file.

·         Require SSL: is set to false. This configuration means that authentication cookies can be transmitted over channels that are not SSL-encrypted. If you are concerned about session hijacking, you should consider setting require SSL to true.

·         Sliding Expiration: is set to true to enforce a sliding session lifetime. This means that the session timeout is periodically reset as long as a user stays active on the site.

·         Default URL: is set to the Default.aspx page for the application.

·         Cookieless: is set to Use Device Profile to specify that the application use cookies for all browsers that support cookies. If a browser that does not support cookies accesses the site, then forms authentication packages the authentication ticket on the URL.

·         Enable Cross App Redirects: is set to false to indicate that forms authentication does not support automatic processing of tickets that are passed between applications on the query string or as part of a form POST.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)