MCAD/MCSD Notes: Chapter 8, Lesson 3; Using Forms Authentication

Lesson 3: Using Forms Authentication

The purpose of this lesson is to introduce ASP.NET Forms Authentication and to encourage the expectation that Web Application frameworks provide their own security "controls." With Microsoft technologies, this expectation is recognized in ASP.NET 2.0, its Login controls (which are part of the new personalization and membership features of ASP.NET 2.0). More details are found in "New Security Features in ASP.NET 2.0" here:

http://msdn.microsoft.com/library/en-us/dnvs05/html/SecFeatNT2.asp

"Forms authentication automatically displays a designated Web form to collect user name and password information... The advantage of Forms authentication is that users do not have to be [a] member of a domain-based network to have access to your application."

For more details see "Designing Secure ASP.NET Applications" here:

http://msdn.microsoft.com/library/en-us/cpguide/html/
    cpconDesigningSecureASPNETApplications.asp

The following is sample Web.config declaration for Forms Authentication:

&lt;authentication mode=&quot;Forms&quot; &gt; &lt;!-- Set authentication mode --&gt;
    &lt;forms loginUrl=&quot;LogIn.aspx&quot; &gt; &lt;!-- Specify a log on form --&gt;
    &lt;credentials passwordFormat=&quot;Clear&quot;&gt; &lt;!-- Create a user list --&gt;
        &lt;user name=&quot;Jesse&quot; password=&quot;JuneBug&quot;/&gt;
        &lt;user name=&quot;Linda&quot; password=&quot;Liste&quot;/&gt;
        &lt;user name=&quot;Henry&quot; password=&quot;Henry&quot;/&gt;
    &lt;/credentials&gt;
    &lt;/forms&gt;
&lt;/authentication&gt;

&lt;authorization&gt;
    &lt;deny users=&quot;?&quot; /&gt; &lt;!—Deny all unauthenticated users --&gt;
&lt;/authorization&gt;

For this declaration, the static member FormsAuthentication.Authenticate() of the System.Web.Security namespace takes a user name and password and returns a Boolean. ASP.NET View State can be used to store the number of authentication attempts and the FormsAuthentication.SignOut() method is used to clear the authenticated session and permit a new login attempt. When FormsAuthentication.Authenticate() is true, the FormsAuthentication.RedirectFromLoginPage() method can be used to move from the login page specified in Web.config to the originally requested page.

"When storing names and passwords in a file or database, you have the option of encrypting them using the FormsAuthentication class's HashPasswordForStoringInConfigFile method."

The hash algorithms SHA1 or MD5 are used. There are "urban legends" out there insisting that one or both of these algorithms is compromised. However, as of July 11, 2005 Microsoft makes no mention of this in "How to create keys by using Visual C# .NET for use in Forms authentication" here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q312906

"When you authenticate users from Web.config, you use the Authenticate method. When you authenticate users from a database, you must write your own code to find and compare user names and passwords."

I'm almost certain that this is 'fixed' in ASP.NET 2.0!

mod date: 2005-09-13T00:17:01.000Z