Back to list of Articles
Security models in ASP.NET. Authentication.
Author: Sergei Baklanov aspnetman@aspnetmania.com
Windows Authentication
Forms Authentication
Forms Authentication using XML file
Forms Authentication using web.config file
Forms Authentication using database
Forms Authentication with Web services
Passport Authentication
Forms Authentication
Forms authentication that is also called cookie based authentication, has a number of advantages on Windows authentication.
- Firstly, you are able to customize logon window appearance as per your own taste (or the user can do it) instead of using standard Windows logon window.
- Secondly, you have total control over the information you are inputting.
- Users info can be stored not only in SAM or Active Directory, but in any other form, for example: database, LDAP catalog, XML-files or simple text file.
- No need to provide Web-application security policy compliance with server policy, because, as I mentioned above, all users' info can be stored in a separate storage without coming in touch with OS identities (accounts).
But, in spite of such abundance of opportunities given by forms authentication, there is one weighty restriction - the user has to enable cookie files. Without it forms authentication will not work using ASP.NET tools. Note the words "using ASP.NET tools�". It means that mechanism which makes a developer free from routine operations of endless check-ups will not work, in other words all requests (query) received from the user which has not passed authentication yet, are redirected to login page, where he inputs necessary info (in most cases username and password). Info received is sent to ASP.NET environment, where their validation takes place. If it is successful, cookie-file containing authorization ticket, user name, and identifier key is sent to the user. As a result, all successive browser requests will contain authorization data in their headers, which will be sent to ASP.NET environment for validation. That is why, if the user does not support cookies, it will be necessary to check manually whether he passed authentication or not; for example in the previous ASP versions Session object was used for it, approximately as follows:
If Not Session("Registered") = "1" Then
Response.Redirect("login.asp")
End If
To use forms authentication you need to configure Web-project first. To do it, change tag content in Web.config file in the following way:
<authentication mode="Forms">
<forms name="ASP_XML_Form" loginUrl="login.aspx" protection="All"
timeout="30" path="/" requireSSL="false" slidingExpiration="true" />
</authentication>
Let's review the code above more closely. Mode attribute of the tag defines authentication type. In the previous examples we used Windows value, which set authentication to Windows based authentication, now, to work with forms authentication we are using Forms mode. Apart from these two constants there are 2 more: Passport and None - first defines authentication as passport authentication, which we will discuss later, second turns authentication off. The tag is forms authentication specific and includes the following data:
- name - name of the cookie-file, where successful authentication message will be stored;
- loginUrl - defines address of the page to which the user will be redirected to pass registration;
- protection - gets All|None|Encryption|Validation values and defines protection method for data in the cookie-files. It is clear out of the possible values that it is possible to do nothing with the info received and accept them as they are, or you can validate them, or encrypt; there is also possibility to unite validation with cryptography - this is the default value.
- timeout - defines period of time in seconds while cookie is available;
- path - this attribute sets full path to the cookie -file. By default it contains slash (/), which starts all paths. It is not recommended to change this parameter, because some browsers are case sensitive, that is why as a result of changing this parameter you can cut some users off the possibility to pass authentication.
- requireSSL - this attribute can be set to True or False (by default) and defines the necessity of using SSL - Secured Sockets Layer protocol;
- slidingExpiration - shows whether you need to re-create (refresh) cookie and authorization certificate, if time-out expires. Can be set to true (by default) and false.
All possible attributes of the Forms section were described above, but it is enough to use only 3 of them to provide correct execution of your application, as you can see on the listing below:
<forms name=�ASP_XML_Form� loginUrl=�login.aspx� protection=�All� />
Back to top
|
