The previous example in the session management section only demonstrates how session state can be managed in ASP.NET. If you want to expand the example to handle your application authentication, every single aspx file in addition to main.aspx should check for the session variable "UserName" and redirect to the Login.aspx file if this session variable is not found. This is too much work, at least in the .NET world. We take this opportunity to show you how to do forms authentication in ASP.NET. By definition, forms authentication is basically a setup where unauthenticated requests are automatically redirected to a designated login form. Once the user provides the login information and the login form processes it successfully, the user is then redirected back to the original page along with an "authenticated cookie." Subsequent requests do not get redirected to the login form until the cookie expires.
The first thing you will have to do is edit the web.config file to set the authentication mode to "Forms" and setup the URL for the login page and the name of the authentication cookie:
<configuration> <system.web> <authentication mode="Forms"> <forms loginUrl="login.aspx" name=".authToken"/> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> </configuration>
In this web.config file, we've specified that the authentication mode is "Forms" for form-based authentication. Other settings are "Windows," "Passport," and "None" (case-sensitive), which we will not cover in this book because of its size. The loginUrl is where the system should redirect the request if the user is not yet authenticated and the name attribute is the name of the cookie to store the authentication info. We also have to set up the authorization so that this web application will deny all unauthenticated users.
Since we specify that the login URL is login.aspx, let's see the content of this file:
<HTML> <script language="VB" runat="server"> Sub cmdLogin_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) ' more processing here FormsAuthentication.RedirectFromLoginPage(txtUID.Text, false) End Sub </script> <body> . . . </body> </HTML>
Once we have authenticated the credentials, we call a helper method of FormsAuthentication object to redirect to whatever page the client was from. The first parameter is the user name and the second Boolean variable tells the function not to persist the cookie across browser sessions. Note the difference between this and the home-grown authentication via the session example we had earlier. Here, we don't have to remember what URL to return to.
The main.aspx page now looks like this:
<HTML> <body> <script language="VB" runat="server"> Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) labelData.Text = "Welcome back, " + Context.User.Identity.Name End Sub Sub Logout(ByVal sender As System.Object, ByVal e As System.EventArgs) FormsAuthentication.Signout( ) Response.Redirect("Login.aspx") End Sub </script> <form id="Form1" method="post" runat="server"> <asp:Label id="labelData" runat="server">Label</asp:Label> <asp:Button id="cmdLogout" runat="server" onclick="Logout" Text="Logout"></asp:Button> </form> </body> </HTML>