Share via


Forms Authentication Utilities

To manage forms authentication, you can use static methods of the FormsAuthentication class. The following table lists the methods.

Method

Description

Authenticate

Attempts to validate the credentials from the configured credential store, given the supplied credentials.

Decrypt

Returns an instance of the FormsAuthenticationTicket class, given an encrypted authentication ticket obtained from an HTTP cookie.

Encrypt

Given a FormsAuthenticationTicket, produces a string containing an encrypted authentication ticket suitable for use in an HTTP cookie.

GetAuthCookie

Retrieves an encrypted authentication cookie as an HttpCookie instance. The cookie is not added to the Cookies collection.

GetRedirectUrl

Returns the redirection URL for the request that caused the redirect to the logon page.

HashPasswordForStoringInConfigFile

Given a password and a string identifying the hash type, produces a hash password suitable for storing in a configuration file.

Initialize

Initializes the FormsAuthentication class by reading configuration settings and getting the cookie values and encryption values for the current application.

RedirectFromLoginPage

Redirects an authenticated user to the originally requested URL.

RenewTicketIfOld

Updates the sliding expiration on a FormsAuthenticationTicket.

SetAuthCookie

Creates an authentication ticket and attaches it to the cookie collection of the outgoing response.

SignOut

Removes the authentication ticket by setting the authentication cookie or URL text to an empty value. This removes both durable and session cookies.

Important

Although the SignOut method clears the ticket from the authenticated browser session, your application can still be susceptible to a replay attack from an unwanted source that has "sniffed" an authentication ticket. For information on mitigating against a replay attack with forms authentication, see SignOut.

The following table lists helpful properties for managing forms authentication tickets.

Property

Description

FormsCookieName

Gets the cookie name for the current application.

FormsCookiePath

Gets the cookie path for the current application.

CookiesSupported

Gets a value that indicates whether the application is configured to support cookieless forms authentication.

CookieMode

Gets a value that indicates whether the application is configured for cookieless forms authentication.

CookieDomain

Gets the value of the domain of the forms authentication cookie.

DefaultUrl

Gets the URL that forms authentication will redirect to if no redirect URL is specified.

LoginUrl

Gets the URL for the logon page that forms authentication will redirect to.

RequireSSL

Gets a value indicating whether cookies must be transmitted using Secure Sockets Layer (SSL).

SlidingExpiration

Gets a value indicating whether sliding expiration is enabled.

EnableCrossAppRedirects

Gets a value indicating whether authenticated users can be redirected to URLs in other Web applications when the forms authentication ticket is not stored in a cookie.

You can use the methods of the FormsAuthentication class to customize the way forms authentication works. You can also use them in the logon page handler to avoid having to explicitly code the redirection. The following code example shows an ASP.NET Web page that authenticates the user and redirects to the requested page.

<html>
<head>
<script language="VB" runat=server>
    Sub SubmitBtn_Click(Source As Object, e As EventArgs)
        ' Try to authenticate credentials supplied by user.
        If FormsAuthentication.Authenticate _
                (UserName.Value, UserPassword.Value) Then
            Dim ticket As New FormsAuthenticationTicket _
                (UserName.Value, False, 5000)
            FormsAuthentication.RedirectFromLoginPage _
                (UserName.Value, Persist.Checked)
        End If
    End Sub
</script>
</head>

<body>
<form method=post runat=server>
    <table>
        <tr>
            <td>Name:</td>
            <td><input type="text" id="UserName" runat=server/>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" id="UserPassword" runat=server/>
            </td>
        </tr>
    </table>

    <input type="checkbox" id="Persist" runat=server/>
    <!-- Use persistent cookie -->
    <br>
    <input type="submit" OnServerClick="SubmitBtn_Click" runat=server/>
</form>
</body>
</html>
<html>
<head>
<script language="C#" runat=server>
    void SubmitBtn_Click(Object Source, EventArgs e)
    {
        // Try to authenticate credentials supplied by user.
        if (FormsAuthentication.Authenticate(UserName.Value, 
                UserPassword.Value))
        {
            FormsAuthenticationTicket ticket = new 
                FormsAuthenticationTicket(UserName.Value, false, 5000);
                  
            FormsAuthentication.RedirectFromLoginPage(UserName.Value,
                Persist.Checked);
        }
    }
</script>
</head>

<body>

<form method=post runat=server>
    <table>
        <tr>
            <td>Name:</td>
            <td><input type="text" id="UserName" runat=server/></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" id="UserPassword" runat=server/>
            </td>
        </tr>
    </table>

    <input type="checkbox" id="Persist" runat=server/>
    <!-- Use persistent cookie. -->
    <br>
    <input type="submit" OnServerClick="SubmitBtn_Click" runat=server/>
</form>
</body>
</html>

Applications that need detailed control over the HTTP cookie properties can construct the ticket and perform the redirection in custom code. In those cases, you should use encryption methods of the FormsAuthentication class to encrypt the authentication ticket.

See Also

Reference

FormsAuthentication

FormsAuthenticationTicket

HttpCookie

Other Resources

ASP.NET Web Application Security

Forms Authentication Provider