Learning Resources

Understanding ASP Dot Net Forms

ASP.NET Tutorial - Forms-Based Authentication


Form authentication can be used for setting up custom user registration system for the website. The advantage of using this type of authentication is that, it enables to store username and passwords in whatever storage mechanism is desired. For example, storing username and password in the Web.Config file, an XML file, or a database table.

If a user requests a page without the proper Authentication Ticket, he or she can be automatically redirected to the login page. If the user enters a valid username and password combination, you can automati­cally redirect him or her back to the original page.

When using Forms authentication, an automatic user registration system can be easily set up. For example, a database table can be created that contains usernames and pass­words. In that case, adding a new registered user is as simple as adding a new username and password to the database table.

The .NET classes for Forms authentication are located in the System.Web. Security namespace. The following list contains the most important of these classes:


This class contains several shared methods for working with Forms authentication.


This class represents the authentication Ticket used in the cookie for Forms authentication.

Forms Identity

This class represents the identity of the user authenticated with Forms authentication.


This class is the actual module used for forms authentication.

Enabling Forms Authentication

To enable basic Forms authentication for an application, the follow three steps are to be followed:

  • Set the authentication mode for the application by modifying the authentication ­section in the application root Web.Config file.
  • Deny access to anonymous users in one or more directories in the application by modifying the authorization section in the Web.Config files in the appropriate directories.
  • Create a login page containing a form that enables users to enter their usernames and passwords.

The first step is to enable Forms authentication for an application. To do so, you must modify an application's root directory Web.Config file. If the Web.Config file doesn't exist, it can be created.

The Web.Config Example 61 Web.Config file contains the minimal amount of information necessary to enable Forms authentication for an application.

To run these examples put all the files in SimpleForm directory and in its subdirectory as mentioned in the name of the examples. Next, create a new vertual directory that points to the SimpleForm directory.

Example SimpleForm/Web.Config


In above example, the authentication mode is set to Forms. Creating this file enables Forms authentication for the entire application.

The next step is to password-protect individual directories. Users are required to log in to access any ASP.NET page at the Web site by modifying the root directory Web.Config file. Alternatively, Web.Config files can be added to particular directories to password­certain pages.

To password-protect a particular directory and its subdirectories, add the Web. Config file in Example 62to the directory.(Place this at SimpleForm\Secret subdirectory)


Example SimpleForms/secret/Web.config

The Web.Config file in the above example denies access to the ASP.NET pages contained in the directory to anonymous users. The ? symbol represents all anonymous users.

After the tile Web. Config file is added in Example 62to a directory, anonymous users are denied access to ASP.NET pages in that directory and all subdirectories. If you want to enable users to access tiles in a particular subdirectory, you can add the Web.Confiig file contained in Example 63.


Example SimpleForns\Anon\Web.Config

< configuration >

< system.web >

< authorization >

< allow users ="?" />

configuration >


  The Web. Confiig file in Example 63allows all anonymous users to access any page contained in a directory and all the subdirectories of that directory.

The final step required for enabling Forms authentication is to create the Login. aspx page. If you attempt to access an ASP.NET page in a password-protected directory and you do not have the proper Authentication Ticket cookie, you are automatically redirected to this page.

The simple Login. aspx page contained in Example 64 displays a form with a field for a username and password (as shown below). The page requires you to enter the username Sam and password Secret. (The form is case-sensitive.)


Example SimpleForm\login.aspx


Please Enter Your Login:




Runat="Server" />



Runat="Server" />



Runat="Server" />



TextMode="password" Runat="Server" />



Runat="Server" />



Remember me with a cookie?



Runat="Server" />

In the above example, the important work happens in the Button-Click subroutine, which first checks the IsValid property to test whether both a username and password were entered into the form. If the page is valid, the values of the username and password form fields are matched against the values, expert and Secret.

If the correct username and password are entered, the RedirectFromLoginPage method is called. Two parameters are passed in this method: the username and a Boolean value indi­cating whether a persistent cookie should be created.

Form ahentication supports both session and persistent cookies. When the RedirectFromLoginPage is called, it can be indicated whether a persistent cookie should be created. If the RedirectFromLoginPage creates a persistent cookie, the cookie continues to exist even if the user shuts down his or her computer and returns to the Web sites many days in the future.

Calling the RedirectFromLoginPage method performs two-actions. First, it creates a cookie on the user’s browser that contains an Authentication Ticket. After this cookie is set, the user can access pages in directories that require Forms authentication.

The RedirectFromLoginPage method also automatically redirects the user back to the page that sent him or her to the Login. aspx page in the first place by using a browser redirect.

Configuring Forms Authentication

In the preceding section, modifications of the Web. Config file to enable Forms authentication for an application was discussed. In this section, the options for configuring Forms authentication will be examined in more detail.

The authentication section in the Web. Config file can contain an optional forms elements, which supports the following attributes:


The page where the user is automatically redirected when authentication is required. By default, users are redirected to the Login. aspx page in the application root directory. However, this attribute can be changed to point out to any page required.


The name of the browser cookie that contains the Authentication Ticket.By default, the cookie is named .ASPXAUTH. However, if multiple applications are configured on the same server, a unique cookie name for each application should be provided.


The amount of time in minutes before a cookie expires. By default, this attribute has the value of 30 minutes. This attribute does not apply to persistent cookies.


The path used for the cookie. By default, this attribute has the value/.


The way the cookie data is protected. Possible values are All, None Encryption, and validation; the default value is All.

The protection attribute requires some explanation. By default, cookies are encrypted using either DES or TripleDES encryption (depending on the capabilities of the server). Furthermore, the contents of the cookie are validated with a Message Authentication Code to protect against tampering.

Encryption or validation or both features can be disabled by changing the value of protection attribute. For example, setting protection to Encryption causes the cookie to be encrypted but not validated. Better performance from the application can be obtained by disabling encryption and validation. However, disabling these features also results in a less secure site.

The Web. Confiig file in example 65 illustrates how you can set the forms attributes.

Example FormsAttributes\Web.Config







Configuring Forms Authorization

The authorization section of the Web. Config file determines which users can access ASP.NET pages within a directory. In the simplest case, the authorization section to deny anonymous users can be used to access to the pages in a directory by using a Web.Config like the one in example 66


Example Web.Config


The authorization section can contain either elements, which deny access for particular users,or elements, which enable access for particular users. The special symbol ? can also be used which stands for all anonymous users, or the symbol *, which stands for all users (both anonymous and authenticated).