Forms Authentication in Asp.Net
Forms authentication is best for internet based applications where application allows only authenticate user to access the application.
Application Introduction
For understanding forms authentication, we created an application that have followings pages:
SignIn.aspx - User login page
Home.aspx - User text page after successful login
SignUp.aspx - User registration page
For setting forms authentication in the application we are going to explain each steps in following sections:
Web.Config
Define your forms authentication mode in Web.Config. Mode options are Forms, Passport, Windows and None.
<system.web>
<authentication mode="Forms">
</authentication>
</system.web>Define your user login page and first page after login success. Here I am defining loginUrl to SignIn.aspx page, so any user can try to access any page in my application without login, he will first comes on SignIn.aspx page and after login he can navigate to other pages. Here I defined defaultUrl to Home.aspx page, so after successful login user automatically go to Home.aspx page after that he can navigate to any page.
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" defaultUrl="Home.aspx">
</forms>
</authentication>
Here am defining some credentials in Web.Config for user login. You can also store you user credentials in sql database that is best option.
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" defaultUrl="Home.aspx">
<credentials passwordFormat="Clear">
<user name="jitesh" password="12345"/>
<user name="amit" password="678910"/>
</credentials>
</forms>
</authentication>
passwordFormat have three options:
Clear - No password encryption
MD5 - Password encryption by MD5
SHA1 - Password encryption by SHA1
Here am defining authorization deny for all users, so that if any user can try to access any other page except SignIn.aspx without login then he will directly redirected to SignIn.aspx page for login.
<authorization>
<deny users="?"/>
</authorization>
SignIn.aspx
Below is showing Signin.aspx page design. This page is for user login.
SignIn.aspx.cs
All authentication security class derived from System.Web.Security namespace.
// Use Namespace
using System.Web.Security;
On Sign In button's click first check that user entered credentials is valid or not. Here I am using FormsAuthentication.Authenticate method to checking user credentials from Web.Config that returns bool value. You can also create an own method that check user credentials from sql database.
If user credentials are correct then call FormsAuthentication.RedirectFromLoginPage method that takes parameter user name and bool value for cookies persist or not. Simply this bool value is depend on check box of remember password.
FormsAuthentication.RedirectFromLoginPage directly redirected to page that you defined in defaultUrl in Web.Config, if you did not define any page then its default redirection is Default.aspx page.
protected void btnSignIn_Click(object sender, EventArgs e)
{
// Check user credentials from Web.Config
// You can also check user credential from sql database
bool IsUserValid = FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text);
// Save password if user want
bool IsRememberPassword = cbRemember.Checked;
if (IsUserValid)
{
// Redirect to Home Page after login
FormsAuthentication.RedirectFromLoginPage(txtName.Text, IsRememberPassword);
}
else
{
lblMsg.Text = "Invalid credentials";
}
Home.aspx
After user successfully logged in and he comes on Home.aspx page then you can show his name by calling Context.User.Identity.Name.
On Logout button's click, just call FormsAuthentication.SignOut() for sign out and redirect to log in page.
Home.aspx.cs
protected void Page_Load(object sender, EventArgs e)
{
lblUser.Text = "Hello" + Context.User.Identity.Name;
}
// Log Out Button Click's Event
protected void btnSignout_Click(object sender, EventArgs e)
{
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
SignUp.aspx
We already defined deny use for all in Web.Config, so any user want to sign up and go to SignUp.aspx page then he will redirected to SignIn.aspx page because we defined that only SignIn.aspx page can be access by unauthorized user.
To overcome this problem to allow access of SignUp.aspx page for any unauthorized user, you just add below codes in Web.Config.
<location path="SignUp.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
Assigned authentication on page
If in your application only few page are authenticated that needs user login credentials then no need to deny all users. You just call below codes that check authentication of users, if unauthorized user access that page then he will redirect to login page in the application and users can easily navigate to unauthorized page.
protected void Page_Load(object sender, EventArgs e)
{
if (!Context.User.Identity.IsAuthenticated)
{
FormsAuthentication.RedirectToLoginPage();
}