Form Authentication.

Security is one of the most important components of any application. Security is even more important when you are making a web application which is exposed to millions of users. Asp.net provides classes and methods that ensure that the application is secure from outside attacks. In this article we will investigate the Forms authentication in Asp.net which provides a powerful way of securing applications

Every one familiar what authentication is and what ASP .NET is, I just want to share my experience with it and how we implimented in our application.Ok, as a ground work let me directly jump to the different types of  Authentication options we have.

The three main types of authentication available in ASP .NET are:

1) Windows Authentication

2) Forms Authentication

3) Passport Authentication

Now let’s check how authentication takes place with ASP.NET

1) The request is first served by IIS server. IIS check for the IP of incoming request and allow or deny access according to the allowable domain access configuration.

2) Next thing is IIS will perform it’s authentication it is configured to do. By default it allows all access but you can always go back and change it per application.

3) Once this is done request is passed to ASP .NET application itself where the authentication of the user is performed according to the setting made in WEB.CONFIG and further the resources are allowed or denied to the user. Please see the besideflow chart for more details.

Now we will go back to the Authentication technique.Just want to explain two lines.

Windows Authentication: will allow you to authenticate user on windows account and credentials. IIS does this for you and passes and credential to code page if required. This is used when the application is an INTRANET application and uses are fixed.

Passport Authentication: uses Microsoft passport services to authenticate user. This is used when you have different application hosed on a server and you want to provide single time authentication to user. What I mean is once he/she is authenticated he/she will be authorized to access other applications without any authentication process which has passport authentication as its authentication method.

Forms Authentication: This is the most commonly used method of authentication. Simple THML forms are used to collect user data and they are validated against your database and custom configuration for specific user.

Well ,now let me go ahead and share my experience with Forms Authentication.

Forms (Cookie)

The Forms authentication provider is an authentication scheme that makes it possible for the application to collect credentials using an HTML form directly from the client. The client submits credentials directly to your application code for authentication. If your application authenticates the client, it issues a cookie to the client that the client presents on subsequent requests. If a request for a protected resource does not contain the cookie, the application redirects the client to the logon page.
Now lets go ahead and impliment the same :

By default it is set to the Windows authentication mode in order to change this to forms authentication you will just need to change the windows to forms as I have shown below:.To implement forms authentication you must create your own logon page and redirect URL for unauthenticated clients. You must also create your own scheme for account authentication. The following is an example of a Web.config configuration using Forms authentication:

Okay so now you have set your application to use the features of the forms authentication instead of the windows authentication.This Login.aspx form should ask for whatever credentials you want (username/password for example) and validate them against the logic that we have given. Once they have been validated you only need to execute the following code to have the user redirected back to the page they were originally trying to access. Simple right ?

How the Control Flow in Forms Authentication ?

The sequence diagram shows the sequence of events that occur during forms authentication. In our Application we are making LDAP call to authenticate the user.So the logic for validating the user against Active Directory will be happening Login.aspx Login button click.If Login successful proceed to default.aspx page else throw message to user in Login page.aspx only.