Programming Microsoft ASP.NET 4 - Dino Esposito [416]
HashPasswordForStoringInConfigFile
Given a password and a string identifying the hash type, the method hashes the password for storage in the web.config file.
Initialize
Initializes the FormsAuthentication class.
RedirectFromLoginPage
Redirects an authenticated user back to the originally requested URL.
RedirectToLoginPage
Performs a redirect to the configured or default login page.
RenewTicketIfOld
Conditionally updates the sliding expiration on an authentication ticket.
SetAuthCookie
Creates an authentication ticket, and attaches it to the outgoing response. It does not redirect to the originally requested URL.
SignOut
Removes the authentication ticket.
The Initialize method is called only once in the application’s lifetime and initializes the properties in Table 19-4 by reading the configuration file. The method also gets the cookie values and encryption keys to be used for the application.
Note
In spite of their names, in ASP.NET both the GetAuthCookie method and the SetAuthCookie method get and set an authentication ticket, regardless of what it means to the application. If the application is configured to do Forms authentication in a cookieless manner, the two methods read and write ticket information from and to the URL of the request. They read and write a cookie if the authentication method is configured to use cookies.
Configuration of Forms Authentication
The protection="All|None|Encryption|Validation" timeout="30" requireSSL="true|false" slidingExpiration="true|false" path="/" enableCrossAppsRedirects="true|false" cookieless="UseCookies|UseUri|AutoDetect|UseDeviceProfile" defaultUrl="url" domain="string"> The various attributes are described in Table 19-6. Table 19-6. Attributes for Forms Authentication Attribute Description cookieless Defines if and how cookies are used for authentication tickets. Possible values are UseCookies, UseUri, AutoDetect, and UseDeviceProfile. defaultUrl Defines the default URL to redirect after authentication. The default is default.aspx. domain Specifies a domain name to be set on outgoing authentication cookies. (I’ll say more about this later.) enableCrossAppRedirects Indicates whether users can be authenticated by external applications when authentication is cookieless. The setting is ignored if cookies are enabled. When cookies are enabled, cross-application authentication is always possible. (I’ll cover more issues related to this as we go along.) loginUrl Specifies the URL to which the request is redirected for login if no valid authentication cookie is found. name Specifies the name of the HTTP cookie to use for authentication. The default name is .ASPXAUTH. path Specifies the path for the authentication cookies issued by the application. The default value is a forward slash (/). Note that some browsers are case-sensitive and will not send cookies back if there is a path case mismatch. protection Indicates how the application intends to protect the authentication cookie. Feasible values are All, Encryption, Validation, and None. The default is All. requireSSL Indicates whether an SSL connection is required to transmit the authentication cookie. The default is false. If true, ASP.NET sets the Secure property on the authentication cookie object so that a compliant browser does not return the cookie unless the connection is using SSL.
Although ASP.NET Forms authentication is fairly simple to understand, it still provides a rich set of options to deal with to fine-tune the behavior of the authentication mechanism. Most of the settable options revolve around the use of cookies for storing the authentication ticket. All of them find their place in the
Forms authentication is driven by the contents of the