ASP.NET Forms Authentication
ASP.NET forms authentication occurs
after IIS authentication is completed. You can configure forms authentication
with the forms element.
Forms Authentication Configuration
The default attribute values for
forms authentication are shown in the following configuration-file fragment.
<system.web>
<authentication
mode="Forms">
<forms
loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
</system.web>
The default attribute values are
described below:
·
loginUrl points to your application's custom
logon page. You should place the logon page in a folder that requires Secure
Sockets Layer (SSL). This helps ensure the integrity of the credentials when
they are passed from the browser to the Web server.
·
protection is set to All to specify
privacy and integrity for the forms authentication ticket. This causes the
authentication ticket to be encrypted using the algorithm specified on the machineKey
element, and to be signed using the hashing algorithm that is also specified on
the machineKey element.
·
timeout is used to specify a limited
lifetime for the forms authentication session. The default value is
30 minutes. If a persistent forms authentication cookie is issued, the timeout
attribute is also used to set the lifetime of the persistent cookie.
·
name and path are set to the
values defined in the application's configuration file.
·
requireSSL is set to false. This
configuration means that authentication cookies can be transmitted over
channels that are not SSL-encrypted. If you are concerned about session
hijacking, you should consider setting requireSSL to true.
·
slidingExpiration is set to true to enforce a
sliding session lifetime. This means that the session timeout is periodically
reset as long as a user stays active on the site.
·
defaultUrl is set to the Default.aspx page for
the application.
·
cookieless is set to UseDeviceProfile
to specify that the application use cookies for all browsers that support
cookies. If a browser that does not support cookies accesses the site, then
forms authentication packages the authentication ticket on the URL.
·
enableCrossAppRedirects is set to false to indicate
that forms authentication does not support automatic processing of tickets that
are passed between applications on the query string or as part of a form POST.
Authorization Configuration
In IIS, anonymous access is enabled
for all applications that use forms authentication. The UrlAuthorizationModule
class is used to help ensure that only authenticated users can access a page.
You can configure UrlAuthorizationModule
by using the authorization element as shown in the following example.
<system.web>
<authorization>
<deny
users="?" />
</authorization>
</system.web>
With this setting, all
unauthenticated users are denied access to any page in your application. If an
unauthenticated user tries to access a page, the forms authentication module
redirects the user to the logon page specified by the loginUrl attribute
of the forms element.
Forms Authentication Control Flow
Figure 1 shows the sequence of
events that occur during forms authentication.
Figure 1. Forms authentication
control flow
1.
The
user requests the Default.aspx file from your application's virtual directory.
IIS allows the request because anonymous access is enabled in the IIS metabase.
ASP.NET confirms that the authorization element includes a <deny
users="?" /> tag.
2.
The
server looks for an authentication cookie. If it fails to find the
authentication cookie, the user is redirected to the configured logon page
(Login.aspx), as specified by the LoginUrl attribute of the forms
element. The user supplies and submits credentials through this form. Information
about the originating page is placed in the query string using RETURNURL as the key. The server HTTP reply
is as follows:
302 Found Location:
http://localhost/FormsAuthTest/login.aspx?RETURNURL=%2fFormAuthTest%2fDefault.aspx
3.
The
browser requests the Login.aspx page and includes the RETURNURL parameter in the query string.
4.
The
server returns the logon page and the 200 OK HTTP status code.
5.
The
user enters credentials on the logon page and posts the page, including the RETURNURL parameter from the query string,
back to the server.
6.
The
server validates user credentials against a store, such as a SQL Server
database or an Active Directory user store. Code in the logon page creates a
cookie that contains a forms authentication ticket that is set for the session.
In ASP.NET 2.0, the validation of user credentials can
be performed by the membership system. The Membership class provides the
ValidateUser method for this purpose as shown here:
if (Membership.ValidateUser(userName.Text, password.Text))
{
if
(Request.QueryString["ReturnUrl"] != null)
{
FormsAuthentication.RedirectFromLoginPage(userName.Text, false);
}
else
{
FormsAuthentication.SetAuthCookie(userName.Text,
false);
}
}
else
{
Response.Write("Invalid UserID and Password");
}
Note When using the Login
Web server control, it automatically performs the following steps for you. The
preceding code is provided for context.
7.
For
the authenticated user, the server redirects the browser to the original URL
that was specified in the query string by the RETURNURL parameter. The server HTTP reply is
as follows:
302 Found Location:
http://localhost/TestSample/default.aspx
8.
Following
the redirection, the browser requests the Default.aspx page again. This request
includes the forms authentication cookie.
9.
The
FormsAuthenticationModule class detects the forms authentication cookie
and authenticates the user. After successful authentication, the FormsAuthenticationModule
class populates the current User property, which is exposed by the HttpContext
object, with information about the authenticated user.
10. Since the server has verified the
authentication cookie, it grants access and returns the Default.aspx page.
No comments:
Post a Comment