Authentication is the process of determining the
authenticity of a user based on the user’s credentials. Whenever a user logs on
to an application, the user is first authenticated and then authorized. The
application’s web.config file contains all of the configuration settings for an
ASP.NET application. It is the job of the authentication provider to verify the
credentials of the user and decide whether a particular request should be
considered authenticated or not. An authentication provider is used to prove
the identity of the users in a system. ASP.NET provides three ways to
authenticate a user:
·
Forms authentication
·
Windows authentication
·
Passport authentication
Hence, ASP.NET contains the three respective authentication
providers to support the above authentication modes.
Forms Authentication
This authentication mode is based on cookies where the user
name and the password are stored either in a text file or the database. After a
user is authenticated, the user’s credentials are stored in a cookie for use in
that session. When the user has not logged in and requests for a page that is
insecure, he or she is redirected to the login page of the application. Forms
authentication supports both session and persistent cookies. Authentication modes
can be specified in the application’s web.config file as shown below:
Listing 1
<configuration>
<system.web>
<authentication mode="[Windows/Forms/Passport/None]">
</authentication>
</system.web>
</configuration>
The following needs to be specified in the application’s
web.config file for using Forms Based Authentication in ASP.NET:
Listing 2
<configuration>
<system.web>
<authentication mode="Forms"/>
<forms name="login"loginUrl="login.aspx" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Note: The statement <deny
users="?"> in the web.config file as stated in Listing 2 implies
that all permissions are granted only to the authenticated users. The users who
are not authenticated are not granted any permission. The symbol "?"
indicates all Non Authenticated and Anonymous users.
Generally the user’s credentials are stored in the database
and the entered credentials are verified using those that are stored in the
database. Typically, the user enters the username and the password, clicks the
login button and the form validates the values against values from the
database. This is shown in the code snippet below:
Listing 3
if (Verify (txtUserName.Text, txtPassword.Text))
{
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False);
else
lblMessage.Text = "Invalid login name orpassword specified...";
}
private Verify(string userName, string password)
{
//Usual Code to connect to the DB
// and verify the user's credentials
}
The static method RedirectFromLoginPage creates an
authentication ticket and is used to redirect an authenticated user back to the
originally requested URL or the default URL. The authentication ticket creates
a persistent cookie that becomes a part of the HttpResponse object. Later, when
the user tries to access a page in a restricted folder, the ASP.NET framework
uses the cookie to retrieve the ticket and determine whether the user has
access to that particular resource. The first parameter to this method
identifies the user while the second is used to specify whether the user’s
authentication cookie needs to be persisted across multiple site visits.
The user’s credentials can be also be specified in the
web.config file as shown below:
Listing 4
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx">
<credentialspasswordFormat="Clear">
<user name="Joydip"password="Joydip" />
</credentials>
</forms>
</authentication>
<authorization>
</system.web>
</configuration>
Windows Authentication
This is the default authentication mode in ASP.NET. Using
this mode, a user is authenticated based on his/her Windows account. Windows
Authentication can be used only in an intranet environment where the
administrator has full control over the users in the network. The following
should be set in the web.config file to use Windows Authentication:
Listing 5
<authentication mode="Windows"/>
<authorization>
<allow users ="*" />
</authorization>
Note: The symbol "*"
indicates all users inclusive of Authenticated and Anonymous users. Hence the
statement <allow users = "*"> in the web.config file as stated
in Listing 5 indicates that all permissions are granted to both the Anonymous
and Authenticated users.
Windows authentication can be of the following types
·
Anonymous Authentication
·
Basic Authentication
·
Digest Authentication
·
Integrated Windows Authentication
Passport Authentication
Passport authentication is a centralized authentication
service that uses Microsoft's Passport Service to authenticate the users of an
application. It allows the users to create a single sign-in name and password
to access any site that has implemented the Passport single sign-in (SSI)
service. The following code shows how we can specify Passport Authentication in
the web.config file:
Listing 6
<configuration>
<system.web>
<authenticationmode="Passport">
<passportredirectUrl="login.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
ASP.NET also supports custom authentication. In such a case
the authentication mode has to be specified as none in the web.config file as
shown below:
<authentication mode="none">
Then we need to write our own custom authentication
provider.