The System.Web.Security namespace includes the modules that implement various types of ASP.NET authentication, such as WindowsAuthenticationModule, FormsAuthenticationModule, and PassportAuthenticationModule. You don't interact directly with these modules in an ASP.NET application; instead, the ASP.NET framework uses the appropriate module (based on the options you have set in the web.config file) to authenticate the user. After this point, ASP.NET provides identity information in the System.Web.HttpContext.User property and uses this identity to authorize access to resources such as files and URLs (using modules like UrlAuthorizationModule and FileAuthorizationModule, which are also found in this namespace).
One reason you might use the types in this namespace is to handle authentication events. Generic security events, like System.Web.HttpApplication.AuthenticateRequest and System.Web.HttpApplication.AuthorizeRequest, are already available in the global.asax file. However, each authentication module also provides its own Authenticate event, which can be used to validate a user programmatically or attach a new System.Security.Principal.IIdentity instance. Event handlers for Authenticate events are coded in the global.asax file, but defined in this namespace.
Another important class in this namespace is FormsAuthentication. This class provides the shared methods you need to use in your login page if you use ASP.NET's forms-based security. These methods let you authenticate a user, instruct ASP.NET to issue the authenticated forms cookie, and redirect the user to the original requested page.
Note that many security options are not reflected in these classes. When implementing a custom authorization/authentication scheme, you should first examine all the security options provided in the web.config file. Internet Information Server (IIS) also provides an additional layer of security configuration.
Figure 29-1 and Figure 29-2 show the types in this namespace.