Cookieless Forms Authentication
ASP.NET 2.0 supports cookieless
forms authentication. This feature is controlled by the cookieless
attribute of the forms element. This attribute can be set to one of the
following four values:
·
UseCookies. This value forces the FormsAuthenticationModule
class to use cookies for transmitting the authentication ticket.
· UseUri. This value directs the FormsAuthenticationModule class to rewrite the URL for transmitting the authentication ticket.
·
UseDeviceProfile. This value directs the FormsAuthenticationModule
class to look at the browser capabilities. If the browser supports cookies,
then cookies are used; otherwise, the URL is rewritten.
·
AutoDetect. This value directs the FormsAuthenticationModule
class to detect whether the browser supports cookies through a dynamic
detection mechanism. If the detection logic indicates that cookies are not
supported, then the URL is rewritten.
If your application is configured to
use cookieless forms authentication and the FormsAuthentication.RedirectFromLoginPage
method is being used, then the FormsAuthenticationModule class
automatically sets the forms authentication ticket in the URL. The
following code example shows what a typical URL looks like after it has been
rewritten:
http://localhost/CookielessFormsAuthTest/(F(-k9DcsrIY4CAW81Rbju8KRnJ5o_gOQe0I1E_jNJLYm74izyOJK8GWdfoebgePJTEws0Pci7fHgTOUFTJe9jvgA2))/Test.aspx
The section of the URL that is in
parentheses contains the data that the cookie would usually contain. This data
is removed by ASP.NET during request processing. This step is performed by the
ASP.NET ISAPI filter and not in an HttpModule class. If you read the Request.Path
property from an .aspx page, you won't see any of the extra information in the
URL. If you redirect the request, the URL will be rewritten automatically.
Note It is not possible
to secure authentication tickets contained in URLs. When security is paramount,
you should use cookies to store authentication tickets.
ASP.NET 2.0 introduces a
membership feature and set of login Web server controls that simplify the
implementation of applications that use forms authentication.
Membership provides credential
storage and management for application users. It also provides a membership API
that simplifies the task of validating user credentials when used with forms
authentication. The membership feature is built on top of a provider model.
This model allows implementing and configuring different providers pointing to
different user stores. ASP.NET 2.0 includes the following membership
providers:
·
Active
Directory membership provider.
This provider uses either an Active Directory or Active Directory Application
Mode (ADAM) user store.
·
SQL
Server membership provider.
This provider uses a SQL Server user store.
You can also add support for custom
user stores. For example, you can add support for other Lightweight Directory
Access Protocol (LDAP) directories or other existing corporate identity stores.
To do so, create a custom provider that inherits from the MembershipProvider
abstract base class.
ASP.NET login controls automatically
use membership and forms authentication and encapsulate the logic required to
prompt users for credentials, validate users, recover or replace passwords, and
so on. In effect, the ASP.NET login controls provide a layer of abstraction
over forms authentication and membership, and they replace most, or all of, the
work you would normally have to do to use forms authentication.
No comments:
Post a Comment