Forms-based authentication is an ASP.NET authentication
service that enables applications to provide their own logon interface and to
perform custom credential verification. With forms authentication, ASP.NET
authenticates the users and then redirects unauthenticated users to the logon
page that is specified by the
loginUrl attribute of the
<forms> element in the Web.config file. When you provide credentials
through the logon form, the application authenticates the request, and then the
system issues a
FormsAuthenticationTicket class in the form of a cookie. The
FormsAuthenticationTicket class is passed as a cookie in response to subsequent Web
requests from the authenticated client.
Although forms authentication
provides a flexible means of authentication, you must carefully consider some
important issues when you help secure an ASP.NET application. You must help
protect the initial logon credentials by using SSL because the credentials are
sent to the server as plaintext. You must also make sure that you help protect
the cookie that contains the forms authentication ticket. To do this, use SSL
on all the pages to help protect the ticket. Alternatively, you can encrypt the
forms authentication ticket by setting the
protection attribute of the
<forms> element to
All or to
Encrypt in the Web.config file, and use the
Encrypt method of the
FormsAuthentication class to encrypt the ticket. For more information about the
Encrypt method of the
FormsAuthentication class, see the "" section of this article.
Advantages of Forms Authentication
- Forms authentication supports authentication against a
custom data store, such as a Microsoft SQL Server database or Active Directory
directory services. For more information, see the "REFERENCES" section of this article.
- Forms authentication supports role-based authorization with
role lookup from a data store.
- Forms authentication is smoothly integrated with the Web
user interface. For more information, see the "REFERENCES" section of this article.
- ASP.NET provides much of the infrastructure. Relatively
little code is required in comparison to Microsoft Active Server Pages versions
3.0 and earlier..
- ASP.NET forms authentication does not require Microsoft
Internet Explorer. Forms authentication supports a wide range of Web browser
clients.
How to Help Make Forms Authentication Secure
- Use SSL for all pages.
- Use the Encrypt method of the FormsAuthentication class.
Use SSL for All Pages
Help make to sure that the authentication cookie remains secure
throughout a client browser session by using SSL encryption to help secure
secure access to all pages. By using SSL encryption on the application, you
help prevent anyone from compromising the authentication cookie and from
transmitting other valuable information.
Set the value of the
requireSSL property to
true in the Web.config file. This puts SSL in place when the cookie is
sent back to the browser. If you do not set the value of
requireSSL to
true, the form throws an exception or does not authenticate with the
cookie.
When
requireSSL is set to
true, the encrypted connection helps protect the credentials of the
user, and ASP.NET sets the
HttpCookie.Secure property for the authentication cookie. The compliant browser
does not return the cookie unless the connection uses SSL. The following
example shows how to do this in the Web.config file for your application:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="login.aspx"
protection="All"
timeout="20"
requireSSL="true">
</forms>
</authentication >
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
The following example takes action if the cookie is set to transmit
securely:
Visual C# .NET Code string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie MyCookie = Context.Request.Cookies[cookieName];
if (MyCookie.Secure)
{
Response.Write("The cookie is secure with SSL.");
// Add other required code here.
}
Visual Basic .NET Code Dim cookieName As String = FormsAuthentication.FormsCookieName.ToString
Dim MyCookie As HttpCookie = Context.Request.Cookies(cookieName)
If MyCookie.Secure Then
Response.Write("The cookie is secure with SSL.")
' Add other required code here.
End If
Use the Encrypt Method of the FormsAuthentication
Class
If you only use SSL on the initial logon Web page to encrypt the
credentials that are passed for authentication, make sure that the forms
authentication ticket that is contained in a cookie is protected. The forms
authentication tickets must be protected because the cookie is passed between
the client and the server on each subsequent Web request. To encrypt the forms
authentication ticket, configure the
protection attribute of the
<forms> element, and use the
Encrypt method of the
FormsAuthentication class to encrypt the ticket.
<authentication mode="Forms">
<forms name="MyAppFormsAuth"
loginUrl="login.aspx"
protection="All"
timeout="20"
path="/" >
</forms>
</authentication>
Because the
protection attribute is set to
All, when the application calls the
FormsAuthentication.Encrypt method, the ticket must be validated and be
encrypted.
Call the
Encrypt method when you create the forms authentication ticket. You
typically create the ticket in the
Login event handler of the
application.
Visual C# .NET Codestring encryptedTicket = FormsAuthentication.Encrypt(authTicket);
Visual Basic .NET CodeDim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)