SUMMARY

The primary enhancement that ASP.NET makes to Web application security is its forms authentication infrastructure. Instead of relying on hand-rolled authorization and authentication techniques, ASP.NET provides a framework for building client authentication into applications without relying on operating system credentials. It takes care of granting an authentication cookie, redirecting unauthenticated users to a login page, and enforcing any authorization rules specified in your configuration files. What is left for you to do is to perform the actual authentication of clients , which typically is a simple query into a database. ASP.NET also defines a role-based authorization mechanism that is convenient for building applications in terms of roles of users instead of hard-coding checks for identities. Finally, the programmatic interface to the security settings in an application are generic enough that you can easily switch between using different authentication mechanisms, with very few changes to your application code. This means that you can build a system based on Windows authentication, and then if you decide to scale out your user base, you can switch to a forms-based authentication system relatively easily.