Forms-based authentication is an ASP+ authentication service that allows applications to provide their own login UI and do their own credential verification. ASP+ handles authenticating users, redirecting unauthenticated users to the login page, and all the necessary cookie management. This sort of authentication is a popular technique, used by many web sites.
<p>
In order to use forms-based authentication, an application has to be configured to use this authentication scheme. This is by done setting the <authentication> to "Cookie", and denying access to anonymous users, as the following example shows (this is in the config.web file for the desired application):
<div class="code"><xmp>
<configuration>
<security>
<authentication mode="Cookie"/>
<authorization>
<deny users="?" />
</authorization>
</security>
</configuration>
</xmp></div>
<p>
Forms-based authentication allows administrators to configure the name of the cookie to use, the key with which to encrypt it, and the URL to use for the login page. The following table shows the valid attributes for the <cookie> element, which is a subelement of <authentication> element as shown below.
<td>This specifies the key to use for encrypting/decrypting the cookies for authentication. If this value is omitted or if "autogenerate" is used, ASP+ uses a system specific key culled from the Crypto APIs. If "autogenerate" is used, these cookies cannot be used across a web farm, since each key will be machine specific. If web farm or multi-machine support is desired, administrators need to provide a key, stored in cleartext.</td>
</tr>
<tr>
<td>loginurl</td>
<td>The login URL to which unauthenticated users are redirected. This can be on the same machine, or a remote one. If it's on a remote machine, both machines need to be using the same value for the decryptionkey attribute.</td>
</tr>
<tr>
<td>cookie</td>
<td>The name of the HTTP cookie to use for authentication purposes. Note that if more than one application wants to used forms-based authentication services on a single machine, they should each configure a unique cookie value. In order to avoid casing-dependencies in URL's, ASP+ uses '/' as the Path value when setting authentication cookies, so they're sent back to every application on the site.</td>
</tr>
</table>
<p>
After the application has been configured, a login page needs to be provided. The following example shows a simple example of a login page. When the sample is run, it requests the default.aspx page. Unauthenticated requests will be redirected to the login page (login.aspx) which presents a simple forms that prompts for an email address and a password (use Username="jdoe@somewhere.com" and Password="password" as credentials).
After validating the credentials, the application calls the following:
This redirects the user back to the original URL they requested. Applications that don't wish to perform the redirection can call either <b>CookieAuthentication.GetAuthCookie</b> to retrieve the cookie value or <b>CookieAuthentication.SetAuthCookie</b> to attach a properly encrypted cookie to the outgoing response. These techniques can be useful for applications that wish to provided login UI embedded into a containing page or that wish to have more control over where users are redirected. Authentication cookies can either be temporary or permanent. Temporary cookies last only the duration of the current browser session (when the browser is closed, the cookie is lost). Permanent cookies are saved by the browser and are sent back across browser sessions unless explicitly deleted by the user.
The authentication cookie used by forms-authentication consists of a linearized version of the <b>System.Web.Security.CookieAuthenticationTicket</b> class. The information includes the user name (but not the password), the version of forms authentication used, the date the cookie was issued, and a field for optional application specific data.
<p>
Application code can revoke/remove authentication cookies using the <b>CookieAuthentication.SignOut</b> method. This will remove the authentication cookie regardless or whether it's a temporary or permanent cookie.
<p>
It's also possible to supply the forms-based authentication services with a list of valid credentials using configuration.
The application can then call <b>CookieAuthenticationManager.Authenticate</b>, supplying the username and password, and ASP+ will perform the credential verification. Credentials can be stored in cleartext, or as SHA1 or MD5 hashes, according to the following values of the passwordformat attribute.
