February 24, 2021
Hot Topics:

The Lowdown on ASP.NET Authentication

  • By Karl Moore
  • Send Email »
  • More Articles »

If you've created a Web application in Visual Studio .NET, you should be aware that—by default—anyone can access your pages. However, there is a way to keep nosy, unwanted types out. It's called authentication.

ASP.NET includes support for three core types of authentication: Windows, which allows only certain Windows accounts to access a page; Passport, which uses the Microsoft Passport universal login system to verify a user (a pay service); and Forms, the most popular method of authentication, which we'll be covering here.

When a user attempts to access a page that uses Forms authentication, they get redirected to a login screen. From here, your surfer can provide a username and password. You then validate the credentials and grant or deny access to your pages accordingly.

Want to set up ASP.NET Forms authentication? Just follow my five quick and easy steps.

  1. Open the Web.config file in your Solution. This stores a number of settings for your Web application. Edit the <authentication> element so that it reads something like the following. (Alter usernames and passwords as appropriate, and watch both your casing and spacing.) This provides your application with a list of valid users.
    <authentication mode="Forms">
          <credentials passwordFormat="Clear">
            <user name="test1" password="password" />
            <user name="test2" password="password" />
  2. Still in the Web.config file, remove the <allow users="*" /> line from within the <authorization> element. This line grants access to anyone, and we've just erased it.
  3. Still within the <authorization> element, add the following line to deny access to all unknown users (that is, those not authenticated):
  4. <deny users="?" />
  5. Create a page called login.aspx. By default, all unauthenticated users will be redirected to this page. Add TextBox controls (txtUsername and txtPassword) for your browser to supply credentials. Also, add a CheckBox control (chkPersist) to be used if the user wants his or her machine to automatically log them in next time.
  6. Behind a login button on your login.aspx page, add code similar to the following to authenticate your user:
  7. If System.Web.Security.FormsAuthentication.Authenticate( _
       txtUsername.Text, txtPassword.Text) = True Then
       System.Web.Security.FormsAuthentication.RedirectFromLogin _
         Page(txtUsername.Text, chkPersist.Checked)
       Response.Write("Invalid credentials - go back and try _
    End If

And that's it! Now, whenever a user visits a page in your application—and they're unauthenticated—they'll be redirected to login.aspx. From there, they'll be able to provide credentials. The .Authenticate method attempts to match these with a valid username and password combination in Web.config. If the credentials are invalid, a generic error message is displayed. If everything is fine, the .RedirectFromLoginPage method runs, taking the username and whether the login "persists" (that is, is remembered by the computer between sessions) as arguments, and then sends the user back to the initially requested page.

After this, whenever you need to refer back to the username, simply check out the User.Identity.Name property. And, when the user requests to explicitly log out, run code similar to the following:

Top Tip: If you don't want to use login.aspx as your login form, you can change the page by adding a loginUrl attribute to the <forms> element of your Web.config file. For example, the following tag makes myloginpage.aspx the default login page: <forms loginUrl="myloginpage.aspx" />.

Figure: Authentication kicking in, as I try to access a restricted page

Page 1 of 2

This article was originally published on January 14, 2004

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date