Jitesh Byahut 9/21/2014 3121

Forms Authentication in Asp.Net

Forms authentication is best for internet based applications where application allows only authenticate user to access the application.

Application Introduction

For understanding forms authentication, we created an application that have followings pages:

SignIn.aspx - User login page

Home.aspx - User text page after successful login

SignUp.aspx - User registration page

For setting forms authentication in the application we are going to explain each steps in following sections:

Web.Config

Define your forms authentication mode in Web.Config. Mode options are Forms, Passport, Windows and None.

<system.web>

      <authentication mode="Forms">        

      </authentication>    

</system.web>

Define your user login page and first page after login success. Here I am defining loginUrl to SignIn.aspx page, so any user can try to access any page in my application without login, he will first comes on SignIn.aspx page and after login he can navigate to other pages. Here I defined defaultUrl to Home.aspx page, so after successful login user automatically go to Home.aspx page after that he can navigate to any page.

<authentication mode="Forms">

        <forms loginUrl="SignIn.aspx" defaultUrl="Home.aspx">          

        </forms>

</authentication>

Here am defining some credentials in Web.Config for user login. You can also store you user credentials in sql database that is best option.

<authentication mode="Forms">

   <forms loginUrl="SignIn.aspx" defaultUrl="Home.aspx">

     <credentials passwordFormat="Clear">

            <user name="jitesh" password="12345"/>

            <user name="amit" password="678910"/>

      </credentials>

   </forms>

</authentication>

passwordFormat have three options:

Clear - No password encryption

MD5 - Password encryption by MD5

SHA1 - Password encryption by SHA1

Here am defining authorization deny for all users, so that if any user can try to access any other page except SignIn.aspx without login then he will directly redirected to SignIn.aspx page for login.

<authorization>

      <deny users="?"/>

</authorization>

SignIn.aspx

Below is showing Signin.aspx page design. This page is for user login.


SignIn.aspx.cs

All authentication security class derived from System.Web.Security namespace.

// Use Namespace

using System.Web.Security;

On Sign In button's click first check that user entered credentials is valid or not. Here I am using FormsAuthentication.Authenticate method to checking user credentials from Web.Config that returns bool value. You can also create an own method that check user credentials from sql database.

If user credentials are correct then call FormsAuthentication.RedirectFromLoginPage method that takes parameter user name and bool value for cookies persist or not. Simply this bool value is depend on check box of remember password.

FormsAuthentication.RedirectFromLoginPage directly redirected to page that you defined in defaultUrl in Web.Config, if you did not define any page then its default redirection is Default.aspx page.

protected void btnSignIn_Click(object sender, EventArgs e)

{

    // Check user credentials from Web.Config

    // You can also check user credential from sql database

    bool IsUserValid = FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text);

    // Save password if user want

    bool IsRememberPassword = cbRemember.Checked;

    if (IsUserValid)

    {

        // Redirect to Home Page after login

        FormsAuthentication.RedirectFromLoginPage(txtName.Text, IsRememberPassword);

    }

    else

    {

        lblMsg.Text = "Invalid credentials";

    }

}

Home.aspx

After user successfully logged in and he comes on Home.aspx page then you can show his name by calling Context.User.Identity.Name.

On Logout button's click, just call FormsAuthentication.SignOut() for sign out and redirect to log in page.

Home.aspx.cs

protected void Page_Load(object sender, EventArgs e)

{

    lblUser.Text = "Hello" + Context.User.Identity.Name;

}

 

// Log Out Button Click's Event

protected void btnSignout_Click(object sender, EventArgs e)

{

    FormsAuthentication.SignOut();

    FormsAuthentication.RedirectToLoginPage();

}

SignUp.aspx

We already defined deny use for all in Web.Config, so any user want to sign up and go to SignUp.aspx page then he will redirected to SignIn.aspx page because we defined that only SignIn.aspx page can be access by unauthorized user.

To overcome this problem to allow access of SignUp.aspx page for any unauthorized user, you just add below codes in Web.Config.

<location path="SignUp.aspx">

    <system.web>

      <authorization>

        <allow users="*"/>

      </authorization>  

    </system.web>

</location>

Assigned authentication on page

If in your application only few page are authenticated that needs user login credentials then no need to deny all users. You just call below codes that check authentication of users, if unauthorized user access that page then he will redirect to login page in the application and users can easily navigate to unauthorized page.

protected void Page_Load(object sender, EventArgs e)

{

   if (!Context.User.Identity.IsAuthenticated)

   {

        FormsAuthentication.RedirectToLoginPage();

   }       

}


Please give your feedback for improving this page