Forms-based authentication is used to implement customized logic for authenticating users without having to worry about session management using cookie. It gives developer more access to specify which files on the site can be accessed and by whom, and allows identification of a login page. This mechanism will automatically redirect the unauthenticated user to login page and ask them to provide proper credentials (e.g. username/password combination). If login is successful, ASP.NET then issues the cookie to the user and redirect them to specific resources that they originally requested. This cookie allows the user to revisit particular protected resources without having to repeatedly log in.

There are two basic approaches that consider to identify a client who has previously logged on:

1. Cookies:
A cookie is a small piece of data initially presented by the server to the client. It is subsequently presented by the client back to the server within each HTTP request. This can be used as an indication that the client has already been authenticated. ASP.NET provides a mechanism to use cookies for Forms authentication in the CookieAuthenticationProvider module. Cookies are supported by most Web browsers, including Internet Explorer and Netscape Navigator.

2. Custom:
We can implement our own custom mechanism to identify the client to the server. If our clients have disabled cookies, we may consider storing a unique identifier within each URL query string. We can also use hidden form fields, which are stored in a persistent top-level or non-visible frame. In either case, we need to make sure that a hacker cannot simulate being authenticated to your application programmatically.

• Printer Friendly
• Email to a friend
• Add to my Favourites
• Download PDF version
• Report Bad Submissions
• Submit Feedback