ASP.NET provides an infrastructure for authentication and authorization that will meet most of your needs for securing an application. Three authentication schemes are available: Forms, Windows, and Passport.
With Forms authentication you use a classic custom login page to gather credentials from users and to authenticate the information supplied against a database or other data store of authorized users. You can also leverage the FormsAuthentication APIs built into ASP.NET to issue a cookie back to the client. Recipes in this chapter show you how to use Forms authentication to restrict access to some or all pages of an application. We also show you how to restrict access to pages depending on the role assigned to the user .
Implementing Windows authentication involves using a standard Windows dialog box to gather user credentials and validating the user against existing Windows accounts. If your application runs on an intranet, you will find that the last recipe in the chapter helps you implement Windows authentication in record time.
Passport authentication uses Microsoft's Passport service to perform the required authentication. We haven't provided any examples in this chapter, not because Passport authentication is especially difficult but because we doubt many readers are actually implementing it. Irrespective of our personal views, we have yet to see much interest in Passport authentication on a commercial level.
If none of the built-in authentication schemes provided by ASP.NET meets the needs of your application, the .NET Framework provides the ability to create your own authentication scheme. This typically involves writing a custom class that implements the IAuthenticationModule interface and registering it to bypass the built-in .NET authentication. Custom authentication is not covered in this book, because of its individual nature. You can find more details in the MSDN Library by searching for the term "custom authentication".
This chapter provides several recipes for securing your applications using the built-in mechanisms provided by ASP.NET. These are usually adequate to meet the needs of your application.
One of the most important recommendations we can make is that you always have the security features of your application reviewed by key project stakeholders and security specialists. Bringing other perspectives to issues of security is always a good idea, because it is difficult to conceive of all the ways security may be breached in your environment. Having others inspect your plans saves you having to shoulder the entire security burden alone, which is never a wise or comfortable position to be in.