Other Forms Authentication Topics
Here's some practical information about forms authentication. The following guidelines are not required for forms-based authentication but you might find the topics handy when implementing your own schemes.

Storing role information in a database.  Role information in our example is defined in login.aspx and managerLogin.aspx. You could just as easily store this information in a database and retrieve it when you verify the user's login credentials. You'll need to modify DataSet slightly, as shown in Listing 7.

When you create the ticket you get the role information from DataSet instead of hard-coding a string:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
   1,    // version
   Request.Form["emailaddr"],   // get username/e-mail address from the form
   DateTime.Now,                // issue time
   DateTime.Now.AddMinutes(30), // expires in 30 minutes
   false,    // not persistent
   <%# DS_uidAndPwd.FieldValue("roles", null) %>   
      // role assignment obtained from a dataset
);

Signing out.  Regardless of how you set up the logout functionality—with an input tag type=image or Submit button or whatever—you'll need to use the FormsAuthentication class's SignOut method:

FormsAuthentication.SignOut();

This method removes both the ticket and cookie (durable or session, it doesn't matter).

Determining if the user is already logged in.  You'll often want to know whether or not the user is already logged in—on the login page, for example. If the user is already logged in you don't want to display the login page again. Better to detect that the user is logged in and then automatically redirect away from the login page or display something besides the login form. Use the HttpRequest.IsAuthenticated property to determine if the user is logged in and then get the user's role from FormsAuthenticationTicket:

if (Request.IsAuthenticated)
{
   // User is already authenticated. Now get the user's role info.
   FormsAuthenticationTicket ticket = 
   FormsAuthentication.Decrypt(Request.Cookies["SECAUTH"].Value);      
   if (ticket.UserData == "manager")
   {
      // Logged in user has the manager role, redirect as appropriate
   }

   if (ticket.UserData == "member")
   {
      // Logged in user has the member role, redirect as appropriate
   }

}

You will undoubtedly find these topics useful when you implement your own forms-based authentication schemes.

Storing role information in a database is much more convenient if you plan to create several different kinds of roles or if they may change in the future.

Knowing that the FormsAuthentication object has a SignOut method saves you time because you don't have to write the code yourself to destroy the FormsAuthenticationTicket and cookie.

Detecting that a user is already logged in is quite handy. When the user visits the login page after already having logged in, you can display other useful information or simply redirect the user away from the login page. If you are implementing an authentication scheme with multiple roles, you can ascertain what role the logged-in user has and take appropriate action.

For example, the Page_Load function in managerLogin.aspx (see Listing 5) redirects the logged-in user to a different page based on the role of the user. If the user has the manager role, the index page in the manager folder appears; if the user has the member role, the website's home page appears. I wrote the login procedure in managerLogin.aspx this way because I figured if the user is logged in as a member, he or she has no business trying to log in as the manager—so why display the manager's login page? Of course, this means that if the manager happens to be logged in as a member, he or she first has to log out and then log in on the manager's login page. But this seemed like a good security measure anyway.