How does Forms authentication work in ASP.NET

Forms authentication is a ticket-based or token-based system. When users log in, they receive a ticket with basic user information. This information is stored in an encrypted cookie that’s attached to the response so it’s automatically submitted on each subsequent request.

When a user requests an ASP.NET page that is not available for anonymous users, the ASP.NET runtime verifies whether the forms authentication ticket is available. If it’s not available, ASP.NET automatically redirects the user to a login page. As software engineer you have to create this login page and validate the credentials within it. If the user is successfully validated, you just inform the ASP.NET infrastructure about the success (by calling a method of the FormsAuthentication class). Now the runtime automatically sets the authentication cookie (which actually contains the ticket) and redirects the user to the originally requested page. With this request, the runtime detects that the authentication cookie with the ticket is available and grants access to the page. You can see this process In the next picture.

All you need to do is configure forms authentication in the web.config file, create the login page, and validate the credentials in the login page.

Note: Forms authentication uses standard HTML forms for collecting and submitting the user’s credentials. For that reason, you have to use SSL to encrypt and transmit the user’s credentials securely. If you don’t use SSL, the information is transmitted as clear text in the postback data in the request to the server.

The forms authentication process

The forms authentication process