ASP.NET Applications > ASP.NET Web Application Security > ASP.NET Authentication > The Forms Authentication Provider > Creating a Forms Authentication Ticket

ASP.NET Web Application Security   ASP.NET Authentication   Forms Authentication

---

The authentication ticket is a linear representation of the FormsAuthenticationTicket class suitable for encoding as an HTTP form or query string.

1. Convert FormsAuthenticationTicket.IssueDate to a time_t value ( seconds since the epoch ).
2. Concatenate the fields in the order in which they are represented in the class ( Version, Name, Expiration, IssueDate, IsPersistent, Expired, UserData ).
3. Compute the Message Authorization Code ( MAC ) by hashing the concatenation of the previous values and the site-configured encryption key, and concatenate the MAC to the end of the data.

   For more information about MAC algorithms, see the CryptoAPI section of the Microsoft Platform SDK documentation, or the book, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition by Bruce Schneier.

4. Encrypt the concatenated result using a configurable, site-specific key. Use either Data Encryption Standard ( DES ) or TripleDES, depending on computer capabilities.
5. Using Base64, encode the concatenated result to produce the form’s value.

When the form is validated, the FormsAuthenticationModule takes the form’s data, appends the site encryption key, and produces a hash. The resulting hash is compared to the hash in the form itself. If they match, the form is considered valid.