Anonymous authentication is fine for web sites that contain public information that every one can see. We discussed about Anonymous authentication in
Windows authentication is used for intranet web applications, where the users are part of a windows domain-based network. We discussed about Windows authentication in previous article
In this article we will discuss about
1. When to use Forms Authentication
2. How to enable Forms Authentication
When to use Forms Authentication?
Forms authentication is used for internet web applications. The advantage of Forms authentication is that users do not have to be member of a domain-based network to have access to your application. Many internet web sites like Gmail.com, Amazon.com, facebook.com etc uses forms authentication. To access these applications we do not have to be member of their domain-based network.
How to enable Forms Authentication?
Create an asp.net web application project. Add a webform with name Welcome.aspx, and Login.aspx. Add a new folder with name "Registration", to the project. Add Register.aspx web form to the "Registration" folder.
Welcome.aspx HTML:
<h1>Welcome Page</h1>
Login.aspx HTML:
<div style="font-family:Arial">
<table style="border: 1px solid black">
<tr>
<td colspan="2">
<b>Login</b>
</td>
</tr>
<tr>
<td>
User Name
</td>
<td>
:<asp:TextBox ID="txtUserName" runat="server">
</asp:TextBox>
</td>
</tr>
<tr>
<td>
Password
</td>
<td>
:<asp:TextBox ID="txtPassword" TextMode="Password" runat="server">
</asp:TextBox>
</td>
</tr>
<tr>
<td>
</td>
<td>
<asp:Button ID="btnLogin" runat="server" Text="Login" />
</td>
</tr>
</table>
<br />
<a href="Registration/Register.aspx">Click here to register</a>
if you do not have a user name and password.
</div>
Register.aspx HTML:
<h1>Registration Page</h1>
If you run the application now, we will be able to navigate to any page, just by changing the name of the page in the address bar. We are not logged in, but we are still able to access all the pages in the application.
Let us enable forms authentication now. To enable forms authentication, set authentication element's mode attribute to forms in web.config file of the application.
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="30"
defaultUrl="Welcome.aspx" protection="All">
<credentials passwordFormat="Clear">
<user name="santoshkumarsingh" password="santoshkumarsingh"/>
<user name="ergagan" password="ergagan"/>
<user name="richa" password="richa"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
The description of the attributes
loginUrl - The URL of the login Page
timeout - Specifies the number of minutes the authentication cookie persists on the clients’s computer. The default is 30 minutes.
defaultUrl - The url the user will be redirected after authentication
Protection - Specifies the protection for authentication cookie stored on the clients’s computer. The default is All, which performs encryption and data validation. Other possible settings are Encryption, Validation, and None.
Double click the login button on the Login.aspx page. Copy and paste the following code in the button click event handler.
// Authenticate againts the list stored in web.config
if (FormsAuthentication.Authenticate(txtUserName.Text, txtPassword.Text))
{
// Create the authentication cookie and redirect the user to welcome page
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, chkBoxRememberMe.Checked);
}
else
{
lblMessage.Text = "Invalid UserName and/or password";
}
Run the application. Try to navigate to Welcome.aspx or Registration/Register.aspx pages, you will be redirected to Login page. After you login, you will be able to access these pages.
There are 2 problems with this application at the moment.
1. It is not a good practise to store user names and passwords in web.config file. If you want to create the user names and passwords dynamically, you need to change the web.config file. If you change the web.config file at run time, the application restarts and all the session data will be lost, if stored inside the worker process. In a later video session, we will discuss about storing user names and passwords in a database table.
2. At the moment, users are not able to access Register.aspx page, if they are not logged in. If a user does not have user name and password, he should be able to register himself using Register.aspx page. In a later video session, we will discuss about this.
Windows authentication is used for intranet web applications, where the users are part of a windows domain-based network. We discussed about Windows authentication in previous article
In this article we will discuss about
1. When to use Forms Authentication
2. How to enable Forms Authentication
When to use Forms Authentication?
Forms authentication is used for internet web applications. The advantage of Forms authentication is that users do not have to be member of a domain-based network to have access to your application. Many internet web sites like Gmail.com, Amazon.com, facebook.com etc uses forms authentication. To access these applications we do not have to be member of their domain-based network.
How to enable Forms Authentication?
Create an asp.net web application project. Add a webform with name Welcome.aspx, and Login.aspx. Add a new folder with name "Registration", to the project. Add Register.aspx web form to the "Registration" folder.
Welcome.aspx HTML:
<h1>Welcome Page</h1>
Login.aspx HTML:
<div style="font-family:Arial">
<table style="border: 1px solid black">
<tr>
<td colspan="2">
<b>Login</b>
</td>
</tr>
<tr>
<td>
User Name
</td>
<td>
:<asp:TextBox ID="txtUserName" runat="server">
</asp:TextBox>
</td>
</tr>
<tr>
<td>
Password
</td>
<td>
:<asp:TextBox ID="txtPassword" TextMode="Password" runat="server">
</asp:TextBox>
</td>
</tr>
<tr>
<td>
</td>
<td>
<asp:Button ID="btnLogin" runat="server" Text="Login" />
</td>
</tr>
</table>
<br />
<a href="Registration/Register.aspx">Click here to register</a>
if you do not have a user name and password.
</div>
Register.aspx HTML:
<h1>Registration Page</h1>
If you run the application now, we will be able to navigate to any page, just by changing the name of the page in the address bar. We are not logged in, but we are still able to access all the pages in the application.
Let us enable forms authentication now. To enable forms authentication, set authentication element's mode attribute to forms in web.config file of the application.
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="30"
defaultUrl="Welcome.aspx" protection="All">
<credentials passwordFormat="Clear">
<user name="santoshkumarsingh" password="santoshkumarsingh"/>
<user name="ergagan" password="ergagan"/>
<user name="richa" password="richa"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
The description of the attributes
loginUrl - The URL of the login Page
timeout - Specifies the number of minutes the authentication cookie persists on the clients’s computer. The default is 30 minutes.
defaultUrl - The url the user will be redirected after authentication
Protection - Specifies the protection for authentication cookie stored on the clients’s computer. The default is All, which performs encryption and data validation. Other possible settings are Encryption, Validation, and None.
Double click the login button on the Login.aspx page. Copy and paste the following code in the button click event handler.
// Authenticate againts the list stored in web.config
if (FormsAuthentication.Authenticate(txtUserName.Text, txtPassword.Text))
{
// Create the authentication cookie and redirect the user to welcome page
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, chkBoxRememberMe.Checked);
}
else
{
lblMessage.Text = "Invalid UserName and/or password";
}
Run the application. Try to navigate to Welcome.aspx or Registration/Register.aspx pages, you will be redirected to Login page. After you login, you will be able to access these pages.
There are 2 problems with this application at the moment.
1. It is not a good practise to store user names and passwords in web.config file. If you want to create the user names and passwords dynamically, you need to change the web.config file. If you change the web.config file at run time, the application restarts and all the session data will be lost, if stored inside the worker process. In a later video session, we will discuss about storing user names and passwords in a database table.
2. At the moment, users are not able to access Register.aspx page, if they are not logged in. If a user does not have user name and password, he should be able to register himself using Register.aspx page. In a later video session, we will discuss about this.