Although forms authentication provides a flexible means of authentication, you must carefully consider some important issues when you help secure an ASP.NET application. You must help protect the initial logon credentials by using SSL because the credentials are sent to the server as plaintext. You must also make sure that you help protect the cookie that contains the forms authentication ticket. To do this, use SSL on all the pages to help protect the ticket. Alternatively, you can encrypt the forms authentication ticket by setting the protection attribute of the <forms> element to All or to Encrypt in the Web.config file, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket. For more information about the Encrypt method of the FormsAuthentication class, see the "Use the Encrypt Method of the FormsAuthentication Class" section of this article.
Advantages of Forms Authentication
- Forms authentication supports authentication against a custom data store, such as a Microsoft SQL Server database or Active Directory directory services. For more information, see the "REFERENCES" section of this article.
- Forms authentication supports role-based authorization with role lookup from a data store.
- Forms authentication is smoothly integrated with the Web user interface. For more information, see the "REFERENCES" section of this article.
- ASP.NET provides much of the infrastructure. Relatively little code is required in comparison to Microsoft Active Server Pages versions 3.0 and earlier..
- ASP.NET forms authentication does not require Microsoft Internet Explorer. Forms authentication supports a wide range of Web browser clients.
How to Help Make Forms Authentication Secure
- Use SSL for all pages.
- Use the Encrypt method of the FormsAuthentication class.
Use SSL for All PagesHelp make to sure that the authentication cookie remains secure throughout a client browser session by using SSL encryption to help secure secure access to all pages. By using SSL encryption on the application, you help prevent anyone from compromising the authentication cookie and from transmitting other valuable information.
Set the value of the requireSSL property to true in the Web.config file. This puts SSL in place when the cookie is sent back to the browser. If you do not set the value of requireSSL to true, the form throws an exception or does not authenticate with the cookie.
When requireSSL is set to true, the encrypted connection helps protect the credentials of the user, and ASP.NET sets the HttpCookie.Secure property for the authentication cookie. The compliant browser does not return the cookie unless the connection uses SSL. The following example shows how to do this in the Web.config file for your application:
<deny users="?" />
Visual C# .NET Code
string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie MyCookie = Context.Request.Cookies[cookieName];
Response.Write("The cookie is secure with SSL.");
// Add other required code here.
Visual Basic .NET Code
Dim cookieName As String = FormsAuthentication.FormsCookieName.ToString
Dim MyCookie As HttpCookie = Context.Request.Cookies(cookieName)
If MyCookie.Secure Then
Response.Write("The cookie is secure with SSL.")
' Add other required code here.
Use the Encrypt Method of the FormsAuthentication ClassIf you only use SSL on the initial logon Web page to encrypt the credentials that are passed for authentication, make sure that the forms authentication ticket that is contained in a cookie is protected. The forms authentication tickets must be protected because the cookie is passed between the client and the server on each subsequent Web request. To encrypt the forms authentication ticket, configure the protection attribute of the <forms> element, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket.
Call the Encrypt method when you create the forms authentication ticket. You typically create the ticket in the Login event handler of the application.
Visual C# .NET Code
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)