Unit 12: Security and Membership



            The Forms Authentication Provider Following:                                          Notes
               •  Forms authentication provides us with a way to handle authentication using our own
                 custom logic with in an ASP.NET application.
            The following applies if we choose forms authentication:
               •  When a user requests a page for the application, ASP.NET checks for the presence of a
                 special session cookie. If the cookie is present, ASP.NET assumes the user is authenticated
                 and processes the request.
               •  If the cookie is not present, ASP.NET redirects the user to a web form we provider and
                 we may choose any authentication method to check the form.
               •  When the user is authenticated, we indicate this to ASP.NET by setting a property, which
                 creates the special cookie to handle subsequent requests.

            Forms Authentication Configuration
            The default attribute values for forms authentication are shown in the following configuration-
            file fragment.
                           <system.web>
                           <authentication mode= “Forms”>
                           <forms loginUrl= “Login.aspx”
                              protection= “All”
                              timeout= “30”
                              name= “.ASPXAUTH”
                              path= “/”
                              requireSSL= “false”
                              slidingExpiration= “true”
                              defaultUrl= “default.aspx”
                              cookieless= “UseDeviceProfile”
                              enableCrossAppRedirects= “false” />
                              </authentication>
                           </system.web>
             The default attribute values are described below:

               •  loginUrl points to application’s custom logon page. We should place the logon page in
                 a folder that requires Secure Sockets Layer (SSL). This helps ensure the integrity of the
                 credentials when they are passed from the browser to the Web server.
               •  Protection is set to All to specify privacy and integrity for the forms authentication ticket.
                 This causes the authentication ticket to be encrypted using the algorithm specified on the
                 machine Key element, and to be signed using the hashing algorithm that is also specified
                 on the machine Key element.
               •  Timeout is used to specify a limited lifetime for the forms authentication session. The
                 default value is 30 minutes. If a persistent forms authentication cookie is issued, the
                 timeout attribute is also used to set the lifetime of the persistent cookie.

               •  Name and path are set to the values defined in the application’s configuration file.
               •  requireSSL is set to false. This configuration means that authentication cookies can be
                 transmitted over channels that are not SSL-encrypted. If we are concerned about session
                 hijacking, we should consider setting requireSSL to true.

                                             LOVELY PROFESSIONAL UNIVERSITY                                   245