Forms Authentication

Where Active Directory is not available then we need to implement a different mechanism to authenticate users. Form Authentication allows us to create a simple login page which validate that who is valid user based on user name and password entered by the user. After validating the user, an HTTP cookie is created to store the information of the user. The information of the cookie is passed with every request by browser so that server knows about the user. The cookie name is .ASPXAUTH and information in the cookie is encrypted as shown in Figure 1. Form Authentication takes care of cookie management and transport automatically. We do not need to do anything to make it work.

Figure 1. ASPXAUTH cookie content as seen in Chrome

To enable Form Authentication, we need to set authentication mode to Forms in Web.config file and identify where is the login page as shown below:

<authentication mode="Forms">

    <forms loginUrl="/Account/Login" timeout="60" />

</authentication>

ASP.NET MVC 4 Internet Application project template includes Forms Authentication as default mechanism to authenticate users. The template includes an AccountController class that contains several action methods to deal with all necessary authentication related view pages like log in, log out or change password etc.

We can customize the code in these action methods if we want like. Visual Studio also generates various model classes which contain authentication related information like LoginModel, RegisterModel and ExternalLogin. Visual Studio also generates default view pages which correspond to these action methods. We can customize the user interface of the view pages if we want.

There are two properties to configure the behavior of Forms Authentication:

• loginUrl: Tells ASP.NET that where the login page to be redirected the user when a request is made to access secured area. We should place login page in a folder which needs SSL (Secure Sockets Layer). It helps to ensure that integrity of credential when it is passed from browser to server.

• timeout: It is used to specify lifetime for session of Forms Authentication. 30 minutes is the default value of time out. Time out attributes can be used for persistent Forms cookie and lifetime cab be set for the persistent cookie.

There are more configuration properties for Forms Authentication. Following is the list of properties included in Internet Application project template. We can find the complete list of properties which can be used to configure Forms Authentication at http://bit.ly/FormsAuthSettings.

 

• protection: Set to specify privacy and integrity for Forms Authentication ticket. It causes the authentication ticket stored in cookie to be encrypted.

• name: It specifies HTTP cookie to be used for authentication. The default is “.ASPXAUTH”.

• path: It specifies the scope of the cookie to a particular folder in the application. The default of “/” indicates cookie is to be sent for all requests.

• requireSSL: It can be set false, which means that cookie will be transmitted for authentication  over non SSL encryption. requireSSL can be set to true to minimize probability of session hijacking attack.

• slidingExpiration: It can be set true to enforce lifetime of sliding session. Which means the timeout of the session will be periodically reset as long as user is active on site.

• defaultUrl: It can be set for home page of the site.

• cookieless: It can be set to UseDeviceProfile to notify the application to use cookies for the browsers which support cookies. Browser which doesn't support cookies then packages of Forms Authentication will send authentication ticket by URL. Other values are UseCookies, always use cookies, UseUri and never use cookies and AutoDetect which specifies that cookies are used if device profile supports cookies otherwise cookies are not used.

• enableCrossAppRedirects: It can be set false to notify that Forms Authentication doesn't support automatic ticket processing which is passed between the application in query string or as form POST method.

The ~/Account/Login view for HaveYouSeenMe sample application is shown in Figure 2. It is strongly typed view using the LoginModel view model. We can customize the look and feel of the page view to match design of our web site.