Authentication IN ASP .NET – Part 2
In our previous article we saw different types of authentication methods available with ASP .NET and we understood tow of them namely “windows” and “Passport”. In this article we will go ahead and learn the most important and most widely used method that is Form based authentication.
Forms authentication uses cookies to store user information in his/her entire visit to the application. The idea is when user requests for the application if he/she is not logged in he/she will be redirected to the login page. Let’s understand this in simpler way. Let’s say you have Default.aspx as your default page in application. You also have login.aspx page in your application and you have enabled forms authentication in your web.config file.
When users send a request to your application first your application will check for the cookie. If the cookie is not set it means users is not logged in and he/she will be redirected to your login.aspx page. Once user provides his/her credentials he/she will be redirected to required page.
Attributes Involved in Web.Cofig
|
Attributes
|
Description
|
|
Name
|
Name of the cookie used for authentication.
|
|
Path
|
Path used for cookie. The default is value "/".
|
|
LoginUrl
|
Default page where users is redirected when not logged in
|
|
Protection
|
Method used to protect cookie data. Default value is "All”.
|
|
Timeout
|
Number of minutes before cookie expires.
|
In short the web.config file should look like below once you have setup these parameters.
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="login.aspx" defaultUrl="default.aspx"
protection="All" path="/" timeout="30" />
authentication>
<authorization>
<deny users ="?" />
<allow users = "*" />
authorization>
This should enable forms authentication in your application. Once this is done now you can move ahead and use ASP .NET inbuilt authentication services to save and retrieve user credentials. I will explain how we can customized this methods and use a mix mode authentication into our application. Let’s examine the code below which says how your login button method should look like.
if (AuthenticateUser(txtUsername.Text.ToString(), txtPassword.Text.ToString()))
{
FormsAuthentication.SetAuthCookie(this.txtUsername.Text.Trim(), false);
FormsAuthenticationTicket ticket1 = new FormsAuthenticationTicket( 1,this.txtUsername.Text.Trim(),DateTime.Now,DateTime.Now.AddMinutes(10),false,"Admin");
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName,FormsAuthentication.Encrypt(ticket1));
Response.Cookies.Add(cookie1);
String returnUrl1;
if (Request.QueryString["ReturnUrl"] == null)
{
returnUrl1 = "Default.aspx";
}
else
{
returnUrl1 = Request.QueryString["ReturnUrl"];
}
Response.Redirect(returnUrl1);
}
The first thing I am doing is passing username password to my method in data access layer which tells me weather the user is authenticated or not if yes then I will set cookie using his username so that application remembers that user is authenticated. I am also encrypting the cookie and once again for checks if the cookie is set properly then only redirect to the default page or redirect to the login page. This should do all for your form based authentication along with your own custom user credentials settings.
Displaying welcome message to the user in subsequent page we can always retrieve the username we stored while authenticating using line of code below.
lblusername.Text = HttpContext.Current.User.Identity.Name.ToString();
Thanks