Creating Form-Based Security

As with all things .NET, authentication and authorization have been thoroughly thought out and revisions have been made and objects created to deal with these issues within the .NET Framework. It all starts as most application configuration issues do, in the Web.Config file located in the root of your application.

Now I must start out by explaining that four different modes of authentication are available for use in the .NET Framework for ASP.NET pages.

• Forms. Uses ASP.NET form-based authentication.

• Windows. Uses the Windows authentication system on the web server.

• Passport. Uses Microsoft's Passport Authentication.

• None. No authentication, because only anonymous users are expected or because programmers will handle authentication and authorization themselves.

For this chapter, we will be exploring only the Forms mode of authentication. If you are interested in the Windows or Passport method of authentication I would recommend you acquire Inside ASP.NET, by Scott Worley, published by New Riders Publishing.

To tell your web application that you will be using the Forms mode of authentication, you need to set the proper entries in the Web.Config file located in the root of your application. If the <authentication> tag is present anywhere but in the root Web.Config file, the .NET Framework generates an error.

Web.Config

<configuration>      <system.web>          <authentication mode="Forms">          </authentication>      </system.web>  </configuration> 

Of course there's more stuff to add to the Web.Config file, but this is just to demonstrate how to tell your ASP.NET application that you will be using forms-based security.