Authentication and Authorization in ASP.NET
page 1 of 6
Published: 19 Jun 2006
Unedited - Community Contributed
Authentication is the process of identification and validation of a user's credentials. After the identity is authenticated, a process called authorization determines whether that identity has access to a particular resource. This article discusses both these concepts in detail.
by Joydip Kanjilal
Average Rating: 
Views (Total / Last 10 Days): 50498/ 125


Authentication is the process of determining the authenticity of a user based on the user’s credentials. Whenever a user logs on to an application, the user is first authenticated and then authorized. The application’s web.config file contains all of the configuration settings for an ASP.NET application. It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not. An authentication provider is used to prove the identity of the users in a system. ASP.NET provides three ways to authenticate a user:

·         Forms authentication

·         Windows authentication

·         Passport authentication

Hence, ASP.NET contains the three respective authentication providers to support the above authentication modes.

Forms Authentication

This authentication mode is based on cookies where the user name and the password are stored either in a text file or the database. After a user is authenticated, the user’s credentials are stored in a cookie for use in that session. When the user has not logged in and requests for a page that is insecure, he or she is redirected to the login page of the application. Forms authentication supports both session and persistent cookies. Authentication modes can be specified in the application’s web.config file as shown below:

Listing 1

    <authentication mode="[Windows/Forms/Passport/None]">

The following needs to be specified in the application’s web.config file for using Forms Based Authentication in ASP.NET:

Listing 2

    <authentication mode="Forms"/>
    <forms name="login"loginUrl="login.aspx" />
        <deny users="?"/>

Note: The statement <deny users="?"> in the web.config file as stated in Listing 2 implies that all permissions are granted only to the authenticated users. The users who are not authenticated are not granted any permission. The symbol "?" indicates all Non Authenticated and Anonymous users.

Generally the user’s credentials are stored in the database and the entered credentials are verified using those that are stored in the database. Typically, the user enters the username and the password, clicks the login button and the form validates the values against values from the database. This is shown in the code snippet below:

Listing 3

if (Verify (txtUserName.Text, txtPassword.Text))
  FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False);
  lblMessage.Text = "Invalid login name orpassword specified...";
private Verify(string userName, string password)
      //Usual Code to connect to the DB 
      // and verify the user's credentials

The static method RedirectFromLoginPage creates an authentication ticket and is used to redirect an authenticated user back to the originally requested URL or the default URL. The authentication ticket creates a persistent cookie that becomes a part of the HttpResponse object. Later, when the user tries to access a page in a restricted folder, the ASP.NET framework uses the cookie to retrieve the ticket and determine whether the user has access to that particular resource. The first parameter to this method identifies the user while the second is used to specify whether the user’s authentication cookie needs to be persisted across multiple site visits.

The user’s credentials can be also be specified in the web.config file as shown below:

Listing 4

    <authentication mode="Forms">
    <forms loginUrl="login.aspx">
            <user name="Joydip"password="Joydip" />

Windows Authentication

This is the default authentication mode in ASP.NET. Using this mode, a user is authenticated based on his/her Windows account. Windows Authentication can be used only in an intranet environment where the administrator has full control over the users in the network. The following should be set in the web.config file to use Windows Authentication:

Listing 5

<authentication mode="Windows"/>
<allow users ="*" /> 

Note: The symbol "*" indicates all users inclusive of Authenticated and Anonymous users. Hence the statement <allow users = "*"> in the web.config file as stated in Listing 5 indicates that all permissions are granted to both the Anonymous and Authenticated users.

Windows authentication can be of the following types

·         Anonymous Authentication

·         Basic Authentication

·         Digest Authentication

·         Integrated Windows Authentication

Passport Authentication

Passport authentication is a centralized authentication service that uses Microsoft's Passport Service to authenticate the users of an application. It allows the users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. The following code shows how we can specify Passport Authentication in the web.config file:

Listing 6

      <passportredirectUrl="login.aspx" />
      <deny users="?" />

ASP.NET also supports custom authentication. In such a case the authentication mode has to be specified as none in the web.config file as shown below:

<authentication mode="none">

Then we need to write our own custom authentication provider.

View Entire Article

User Comments

Title: Clear idea about Authentication and Authorization   
Name: Nandhini.S
Date: 2006-11-17 4:43:50 AM
This article gives me a clear idea about authentication and authorization. It will be very useful for the Beginners.
Thanks a lot
Title: Authentiaction and Authorization in ASP.NET   
Name: By Vishal Bhosale
Date: 2006-11-15 3:08:25 PM
This is very good and easy description and explaination and this would be very useful to programmers
Title: Authentication and Authorization in ASP.NET   
Name: Sameer Kothari
Date: 2006-11-15 4:01:18 AM
It realy good artical.its helpful to me to develoerd the this
Title: very simple explanation of Authenication   
Name: Vijay
Date: 2006-11-10 2:05:58 AM
I appreciate the author for simple and clear explnation of authnication and authorization
Title: Authentication and Authorization in ASP.NET   
Name: R.Prakash
Date: 2006-11-08 1:26:19 AM
Really very nice
Title: Authentication and Authorization in ASP.NET   
Name: Mahindra
Date: 2006-09-28 2:51:19 AM
Its a Very Useful article.....hope everyone who reads this cud get benefit from this......
Title: very good   
Name: bhawani shanker
Date: 2006-09-26 8:06:14 AM
i think it's a better article for understanding Authentication and Authorization
Title: Good Job   
Name: Noman Shaukat
Date: 2006-09-24 11:01:31 AM
Great Article ..... Good job man
Title: Very good and simple explanation of the topic   
Name: Vikram
Date: 2006-09-23 4:02:43 AM
Yes this is very good an simple explanation of the security in
Title: Authentication and Authorization in ASP.NET   
Name: selvaraj
Date: 2006-07-17 8:30:23 AM
i thing this is quit enough for beginner aslo.
Title: Authentication   
Name: Samy
Date: 2006-07-05 4:29:53 AM
it's an excellent article...very good way of explaning
Title: Authentication and Authorization in ASP.NET   
Name: By Joydip Kanjilal
Date: 2006-06-23 8:18:25 AM
I truly appreciate Mr. Kanjilal taking the time to explain these concepts in such a simplified manner. Security is still quite an important topic, and will continue to be in my opinion, so I think his words have tremendous value.
Thank you Mr. Kanjilal!
Vilmarie Barbosa

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2024  |  Page Processed at 2024-05-28 7:21:23 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search