The output is shown below: -
In the above example, the important work happens in the Button-Click subroutine, which first checks the IsValid property to test whether both a username and password were entered into the form. If the page is valid, the values of the username and password form fields are matched against the values, expert and Secret.
If the correct username and password are entered, the RedirectFromLoginPage method is called. Two parameters are passed in this method: the username and a Boolean value indicating whether a persistent cookie should be created.
Form ahentication supports both session and persistent cookies. When the RedirectFromLoginPage is called, it can be indicated whether a persistent cookie should be created. If the RedirectFromLoginPage creates a persistent cookie, the cookie continues to exist even if the user shuts down his or her computer and returns to the Web sites many days in the future.
Calling the RedirectFromLoginPage method performs two-actions. First, it creates a cookie on the user’s browser that contains an Authentication Ticket. After this cookie is set, the user can access pages in directories that require Forms authentication.
The RedirectFromLoginPage method also automatically redirects the user back to the page that sent him or her to the Login. aspx page in the first place by using a browser redirect.
Configuring Forms Authentication
In the preceding section, modifications of the Web. Config file to enable Forms authentication for an application was discussed. In this section, the options for configuring Forms authentication will be examined in more detail.
The authentication section in the Web. Config file can contain an optional forms elements, which supports the following attributes:
The page where the user is automatically redirected when authentication is required. By default, users are redirected to the Login. aspx page in the application root directory. However, this attribute can be changed to point out to any page required.
The name of the browser cookie that contains the Authentication Ticket.By default, the cookie is named .ASPXAUTH. However, if multiple applications are configured on the same server, a unique cookie name for each application should be provided.
The amount of time in minutes before a cookie expires. By default, this attribute has the value of 30 minutes. This attribute does not apply to persistent cookies.
The path used for the cookie. By default, this attribute has the value/.
The way the cookie data is protected. Possible values are All, None Encryption, and validation; the default value is All.
The protection attribute requires some explanation. By default, cookies are encrypted using either DES or TripleDES encryption (depending on the capabilities of the server). Furthermore, the contents of the cookie are validated with a Message Authentication Code to protect against tampering.
Encryption or validation or both features can be disabled by changing the value of protection attribute. For example, setting protection to Encryption causes the cookie to be encrypted but not validated. Better performance from the application can be obtained by disabling encryption and validation. However, disabling these features also results in a less secure site.
The Web. Confiig file in example 65 illustrates how you can set the forms attributes.
|Example 65 FormsAttributes\Web.Config
Configuring Forms Authorization
The authorization section of the Web. Config file determines which users can access ASP.NET pages within a directory. In the simplest case, the authorization section to deny anonymous users can be used to access to the pages in a directory by using a Web.Config like the one in example 66
|Example 66 Web.Config
<authentication mode="Forms" />
<deny users="?" />
The authorization section can contain either <deny> elements, which deny access for particular users,or<allow> elements, which enable access for particular users. The special symbol ? can also be used which stands for all anonymous users, or the symbol *, which stands for all users (both anonymous and authenticated).