Forms Authentication Utilities

To manage forms authentication, you can use static methods of the FormsAuthentication class. The following table lists the methods.

Method

Description

Authenticate

Attempts to validate the credentials from the configured credential store, given the supplied credentials.

Decrypt

Returns an instance of the FormsAuthenticationTicket class, given an encrypted authentication ticket obtained from an HTTP cookie.

Encrypt

Given a FormsAuthenticationTicket, produces a string containing an encrypted authentication ticket suitable for use in an HTTP cookie.

GetAuthCookie

Retrieves an encrypted authentication cookie as an HttpCookie instance. The cookie is not added to the Cookies collection.

GetRedirectUrl

Returns the redirection URL for the request that caused the redirect to the logon page.

HashPasswordForStoringInConfigFile

Given a password and a string identifying the hash type, produces a hash password suitable for storing in a configuration file.

Initialize

Initializes the FormsAuthentication class by reading configuration settings and getting the cookie values and encryption values for the current application.

RedirectFromLoginPage

Redirects an authenticated user to the originally requested URL.

RenewTicketIfOld

Updates the sliding expiration on a FormsAuthenticationTicket.

SetAuthCookie

Creates an authentication ticket and attaches it to the cookie collection of the outgoing response.

SignOut

Removes the authentication ticket by setting the authentication cookie or URL text to an empty value. This removes both durable and session cookies.

Important
Although the SignOut method clears the ticket from the authenticated browser session, your application can still be susceptible to a replay attack from an unwanted source that has "sniffed" an authentication ticket. For information on mitigating against a replay attack with forms authentication, see SignOut.

The following table lists helpful properties for managing forms authentication tickets.

Property	Description
FormsCookieName	Gets the cookie name for the current application.
FormsCookiePath	Gets the cookie path for the current application.
CookiesSupported	Gets a value that indicates whether the application is configured to support cookieless forms authentication.
CookieMode	Gets a value that indicates whether the application is configured for cookieless forms authentication.
CookieDomain	Gets the value of the domain of the forms authentication cookie.
DefaultUrl	Gets the URL that forms authentication will redirect to if no redirect URL is specified.
LoginUrl	Gets the URL for the logon page that forms authentication will redirect to.
RequireSSL	Gets a value indicating whether cookies must be transmitted using Secure Sockets Layer (SSL).
SlidingExpiration	Gets a value indicating whether sliding expiration is enabled.
EnableCrossAppRedirects	Gets a value indicating whether authenticated users can be redirected to URLs in other Web applications when the forms authentication ticket is not stored in a cookie.

You can use the methods of the FormsAuthentication class to customize the way forms authentication works. You can also use them in the logon page handler to avoid having to explicitly code the redirection. The following code example shows an ASP.NET Web page that authenticates the user and redirects to the requested page.

Visual BasicВ	Copy Code
<html> <head> <script language="VB" runat=server> Sub SubmitBtn_Click(Source As Object, e As EventArgs) ' Try to authenticate credentials supplied by user. If FormsAuthentication.Authenticate _ (UserName.Value, UserPassword.Value) Then Dim ticket As New FormsAuthenticationTicket _ (UserName.Value, False, 5000) FormsAuthentication.RedirectFromLoginPage _ (UserName.Value, Persist.Checked) End If End Sub </script> </head> <body> <form method=post runat=server> <table> <tr> <td>Name:</td> <td><input type="text" id="UserName" runat=server/> </tr> <tr> <td>Password:</td> <td><input type="password" id="UserPassword" runat=server/> </td> </tr> </table> <input type="checkbox" id="Persist" runat=server/> <!-- Use persistent cookie --> <br> <input type="submit" OnServerClick="SubmitBtn_Click" runat=server/> </form> </body> </html>

Visual BasicВ

Copy Code

<html>
<head>
<script language="VB" runat=server>
    Sub SubmitBtn_Click(Source As Object, e As EventArgs)
        ' Try to authenticate credentials supplied by user.
        If FormsAuthentication.Authenticate _
                (UserName.Value, UserPassword.Value) Then
            Dim ticket As New FormsAuthenticationTicket _
                (UserName.Value, False, 5000)
            FormsAuthentication.RedirectFromLoginPage _
                (UserName.Value, Persist.Checked)
        End If
    End Sub
</script>
</head>

<body>
<form method=post runat=server>
    <table>
        <tr>
            <td>Name:</td>
            <td><input type="text" id="UserName" runat=server/>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" id="UserPassword" runat=server/>
            </td>
        </tr>
    </table>
    <input type="checkbox" id="Persist" runat=server/>
    <!-- Use persistent cookie -->
    <br>
    <input type="submit" OnServerClick="SubmitBtn_Click" runat=server/>
</form>
</body>
</html>

C#В	Copy Code
<html> <head> <script language="C#" runat=server> void SubmitBtn_Click(Object Source, EventArgs e) { // Try to authenticate credentials supplied by user. if (FormsAuthentication.Authenticate(UserName.Value, UserPassword.Value)) { FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(UserName.Value, false, 5000); FormsAuthentication.RedirectFromLoginPage(UserName.Value, Persist.Checked); } } </script> </head> <body> <form method=post runat=server> <table> <tr> <td>Name:</td> <td><input type="text" id="UserName" runat=server/></td> </tr> <tr> <td>Password:</td> <td><input type="password" id="UserPassword" runat=server/> </td> </tr> </table> <input type="checkbox" id="Persist" runat=server/> <!-- Use persistent cookie. --> <br> <input type="submit" OnServerClick="SubmitBtn_Click" runat=server/> </form> </body> </html>

C#В

Copy Code

<html>
<head>
<script language="C#" runat=server>
    void SubmitBtn_Click(Object Source, EventArgs e)
    {
        // Try to authenticate credentials supplied by user.
        if (FormsAuthentication.Authenticate(UserName.Value, 
                UserPassword.Value))
        {
            FormsAuthenticationTicket ticket = new 
                FormsAuthenticationTicket(UserName.Value, false, 5000);
                  
            FormsAuthentication.RedirectFromLoginPage(UserName.Value,
                Persist.Checked);
        }
    }
</script>
</head>

<body>

<form method=post runat=server>
    <table>
        <tr>
            <td>Name:</td>
            <td><input type="text" id="UserName" runat=server/></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" id="UserPassword" runat=server/>
            </td>
        </tr>
    </table>
    <input type="checkbox" id="Persist" runat=server/>
    <!-- Use persistent cookie. -->
    <br>
    <input type="submit" OnServerClick="SubmitBtn_Click" runat=server/>
</form>
</body>
</html>

Applications that need detailed control over the HTTP cookie properties can construct the ticket and perform the redirection in custom code. In those cases, you should use encryption methods of the FormsAuthentication class to encrypt the authentication ticket.

See Also

Reference

Other Resources