asp.net.ph
Home  
Getting Started  
Skip Navigation Links
Web Forms  
Skip Navigation Links
Data Access  
Skip Navigation Links
Web Apps  
Skip Navigation Links
Web Basics  
Skip Navigation Links
Show Me   Search
Thursday, January 9, 2025 

Skip Navigation LinksASP.NET Applications > ASP.NET Web Application Security > ASP.NET Authentication > The Forms Authentication Provider > Forms Authentication Credentials

Forms Authentication Credentials

ASP.NET Web Application Security   ASP.NET Authentication   Forms Authentication

You can allow the FormsAuthenticationModule to handle the authentication process from an application configuration file. Valid user/password pairs can be placed in the <credentials> section of a configuration file. You can compare the credentials collected from the user requesting logon privileges to the list of user/password pairs in the <credentials> section to determine if access should be granted. In the following example, users Mary and John can log on if they provide the correct password: 

<credentials passwordFormat = "SHA1" >
   <user name = "Mary" password = "9611E4F94EC4972D5A537EA28C69F89AD28E5B36" />
   <user name = "John" password = "BA7157A99DFE9DD70A94D89844A4B4993B10168F" />
</credentials>

Notice that the credential pairs must be contained within a <credentials> section, the password format is Secure Hash Algorithm-1 ( SHA1 ), the user names are in clear text, and the passwords are hashed using the SHA1 algorithm.

The passwordFormat attribute is required, and can be one of the values listed in the following table.

Value Description
Clear Passwords are stored in clear text. The user password is compared directly to this value without further transformation.
MD5 Passwords are stored using a Message Digest 5 ( MD5 ) hash digest. When credentials are validated, the user password is hashed using the MD5 algorithm and compared for equality with this value. The clear-text password is never stored or compared when using this value. This algorithm produces better performance than SHA1.
SHA1 Passwords are stored using the SHA1 hash digest. When credentials are validated, the user password is hashed using the SHA1 algorithm and compared for equality with this value. The clear-text password is never stored or compared when using this value. Use this algorithm for best security.

At this time there is no ASP.NET tool for creating hashed passwords for insertion into configuration files. However, there are classes and methods that make it easy for you to create them programmatically. One class that can be helpful for programming this task is the FormsAuthentication class. Its HashPasswordForStoringInConfigFile method can do the hashing. At a lower level, you can use the System.Security.Cryptography classes, as well.
Home
Suggested Reading

© 2025 Reynald Nuñez and asp.net.ph. All rights reserved.

If you have any question, comment or suggestion
about this site, please send us a note