Monday, September 19, 2005

ASP.NET authentication modes

Hi all,
Back to basic stuffs, I desire to speak a little about Microsoft ASP.NEt authentication method, taking it from a conceptual level and bring it to the code. It's true that many web sites talk about this subject what what's more interesting that associating concepts coming from theory to real world samples, and that's what we ' are going to do here.

In this article we will see the tree forms of authentication we can use in ASP.NET applications, and we'll make a particular illustration of the Form authentication method. Of course the tree methos are:

  • Windows authentication

  • Forms authentication

  • Passport authentication

Windows authentication

With Windows authentication, ASP.NEt does'nt rely on the application itself but on the operating system to authenticate the user. When the user requests a secure web page from the application, the request goes to Internet Information Services (IIS) . Then IIS compares the user's logon with thoses on the web server or on the domain. If the user's credentials do not match those autorised, IIS rejects the request. The client computer generate a logon dialog box and the user enters the credentials. Again IIS compares the credentials to those authorised and if they're are correct it redirects the request to the correct web page which will be send to the user.

Form authentication

in Form authentication method IIS does not perform the authentication. The IIS security settings for Web applications are set to Allow anonymous acces. When a user request a web page IIS authenticate the user as anonymous user and pass the request to ASP.NET. ASP.NET then, checks for the presence of a specific cookie on the client. If the cookie is not found or is invalid ASP.NET rejects the client and returns a login page. This login page is specified in Web.Config file under the authentication tag. The user supply logon informations on the authentication form and submit the form again. Again IIS authenticate the user as anonymous and pass the request to ASP.NET. This time ASP.NET authenticates the user based on the submitted credentials and it generates a cookie. The requested secured page and the cookie are returned to the client. As long as the cookie remains valid the user can use and view other secured web page with the same credentials.


At 2:41 PM, Blogger Lucky Balaraman said... Launches Free Blog Hosting
September 21, 2005 -- -- Investment and management groups of search directory announced on Wednesday it is now offering blog, or Weblog, hosting services - one of several enhancements it has made in ...

Neat! I really like what you're doing here...

When you have a spare moment you should come over to my architectural drafting site to see what's on in the architectural drafting world.

Keep up the great blogging!


Post a Comment

<< Home