Forms security works so that you don't have to
create new Windows accounts to let people in. I won't go over how it works
(see Security in ASP.NET). Here is the configuration -
<forms name="Auth" loginURL="login.aspx" protection="All" timeout="10"
When you are authenticated you are given a
cookie called 'Auth'. The place where you login is called login.aspx. The
protection is by default - All, this gives the cookie validation (to make sure
it hasn't been tampered) and encryption (using Triple-DES or DES), you can
modify this with different properties (All, None, Encryption, Validation).
Next the timeout sets when the user's login will time-out (the default in 30)
Before we continue lets set up our login.aspx
Sub btn_click(sender as object, e as eventargs)
'You may want a database connection or something here
'To provide authentication from a database
If uname.Text = "philipq" And pword.text = "password" Then
lblmsg.Text = "Invalid username or password"
I'll leave you to put the server controls in.
All this does is check the values of the two
textboxes (uname and pword) and if they're fine it sets
Formsauthentication.SetAuthCookie() to validate the user. the SetAuthCookie
method takes two parameters - the username of the authorized user and weather
or not to keep the cookie after the user closes the browser. The
FormsAuthentication provides many other useful methods.
So far we have given simple authentication for
users and the data is automatically encrypted. The cookie is also encrypted
like this -
You can clearly see the name of the cookie and the server it got it from.