asp.net.ph
Home  
Getting Started  
Skip Navigation Links
Web Forms  
Skip Navigation Links
Data Access  
Skip Navigation Links
Web Apps  
Skip Navigation Links
Web Basics  
Skip Navigation Links
Show Me   Search
Thursday, January 9, 2025 

Skip Navigation LinksASP.NET Applications > ASP.NET Web Application Security > ASP.NET Authentication > The Forms Authentication Provider > The Forms Authentication Module

The Forms Authentication Module

ASP.NET Web Application Security   ASP.NET Authentication   Forms Authentication

The FormsAuthenticationModule exposes forms-based authentication services to ASP.NET applications. The module allows you to optionally handle a FormsAuthentication_OnAuthentication event during the authentication process.

You must provide a logon URL that collects and authenticates credentials. If the credentials are valid, you can rely upon the provided helper utilities to redirect the request to the originally requested resource with an appropriate authentication ticket. Alternatively, you can simply get the form or set it, if you do not want the redirection. For more information about authentication tickets, see Creating a Forms Authentication Ticket.

In the simplest case, you can just configure a logon URL to redirect unauthenticated requests to a page, supply a minimal implementation of that file customized from an example page, and supply valid credential pairs, either in the Web.config file or in a separate file. The framework takes care of the rest. The following example code shows how this might be handled in an ASP.NET configuration [ Web.config ] file: 

<authentication mode = "forms">
   <forms forms = "401kApp" 
      loginurl = "/login.aspx" 
      decryptionkey = "1!#$$*13^">
      <credentials passwordFormat=SHA1>
         <user name = "Mary" password = "9611E4F94EC4972D5A537EA28C69F89AD28E5B36" />
         <user name = "John" password = "BA7157A99DFE9DD70A94D89844A4B4993B10168F" />
      </credentials>
   </forms>
</authentication>

The FormsAuthenticationModule is configured by the <forms> element in a configuration file. The following table describes how to set the forms, decryptionkey, and loginurl attributes of the <forms> element

Attribute Description
Forms Name of the HTTP forms to use for the authentication ticket. By default, this value is .aspxauth.
Decryptionkey Key used to decrypt authentication tickets. Note that the default is autogenerate, so a computer-specific key is used, and the form cannot be shared between servers. This key is stored in clear text.
Loginurl URL to which the request is redirected if it does not contain a valid authentication ticket. This should be an SSL URL ( https:// ) to prevent credentials from being posted in clear text. However, it need not be SSL-protected if the logon form itself posts back to an SSL-protected resource.
Home
Suggested Reading

© 2025 Reynald Nuñez and asp.net.ph. All rights reserved.

If you have any question, comment or suggestion
about this site, please send us a note