Programming Microsoft ASP.NET 4 - Dino Esposito [40]
Table 3-6. Supported Authentication Modes
Value
Description
Forms
Makes use of a custom form to collect logon information.
Passport
Exploits the authentication services of Microsoft Passport (now LiveID). In ASP.NET 4, classes dealing with Passport authentication are marked obsolete.
None
Indicates ASP.NET should not enforce any type of authentication, which means only anonymous users can connect or the application itself provides a built-in mechanism.
Windows
Exploits any authentication services of IIS—basic, digest, NTLM\Kerberos, or certificates. This is the default mode.
When using Forms authentication, you are allowed to specify a few additional parameters, such as name, loginURL, protection, and cookieless. Table 3-7 lists the attributes of the Table 3-7. Attributes of the Attribute Description cookieless Defines whether and how cookies are used for authentication tickets. Feasible values are the same as those listed in Table 3-5. defaultUrl Defines the URL to redirect after authentication. The default is default.aspx. domain Specifies a domain name to be set on outgoing authentication cookies. enableCrossAppRedirects Indicates whether users can be authenticated by external applications when authentication is cookieless. The setting is ignored if cookies are enabled. When cookies are enabled, cross-application authentication is always possible. loginUrl Specifies the URL to which the request is redirected for login if no valid authentication cookie is found. name Specifies the name of the HTTP cookie to use for authentication. The default name is .ASPXAUTH. path Specifies the path for the authentication cookies issued by the application. The default value is a slash (/). Note that some browsers are case-sensitive and will not send cookies back if there is a path case mismatch. protection Indicates how the application intends to protect the authentication cookie. Feasible values are All, Encryption, Validation, and None. The default is All. requireSSL Indicates whether an SSL connection is required to transmit the authentication cookie. The default is false. If true, ASP.NET sets the Secure property on the authentication cookie object so that a compliant browser does not return the cookie unless the connection is using SSL. slidingExpiration Indicates whether sliding expiration is enabled. The default is false, meaning that the cookie expires at a set interval from the time it was originally issued. The interval is determined by the timeout attribute. timeout Specifies the amount of time, in minutes, after which the authentication cookie expires. The default value is 30. Note that the description of cookie-related attributes in Table 3-7 works also for similar attributes in the I’ll return to authentication and security in Chapter 19. In particular, in that chapter you’ll discover various flavors of Forms authentication that, although described as custom types of Forms authentication, are gaining wide acceptance in real-world applications. Two examples are OpenID and claims-based Windows Identity Foundation (WIF). Overall, when it comes to providing authentication for an ASP.NET application, the primary choice is Forms authentication, including when it’s in the form of OpenID implementations such as dotnetOpenAuth. Windows authentication and Passport are seldom used today even though both, especially Windows authentication, still serve the needs of a particular segment of applications. An emerging approach is based on Windows Identity Foundation (WIF). With a WIF integrated with Web Forms, the user navigates to inside the application and then, when authentication is required, the user is redirected to the configured Security Token Service (STS), logs in there, and is then redirected back to the application with his own set