How to configure Forms Authentication in ASP.NET

You can configure forms authentication in your web.config file. Every web.config file includes the <authentication /> configuration section and you have to configure this section with the values Forms:

<authentication mode=”Forms”>

<!– Detailed configuration options –>

</authentication>

The <authentication /> configuration is limited to the top-level web.config file of your application. If the mode attribute is set to Forms, ASP.NET loads and activates the FormsAuthenticationModule, which does most of the work for you. The previous configuration uses default settings for forms authentication that are hard-coded into the ASP.NET runtime. You can override any default settings by adding settings to the <system.web> section of the machine.config file. You can override these default settings in your application by specifying additional settings in the <forms /> child tag of this section. The following code snippet shows the complete set of options for the forms tag:

<authentication mode=”Forms”>

<!– Detailed configuration options –>

<forms name=”MyCookieName”

loginUrl=”DbLogin.aspx”

timeout=”20″

slidingExpiration=”true”

cookieless=”AutoDetect”

protection=”All”

requireSSL=”false”

enableCrossAppRedirects=”false”

defaultUrl=”MyDefault.aspx”

domain=”www.mydomain.com”

path=”/” />

</authentication>

 

The properties are listed in the order you can use them in most cases. The next table describes the details of these properties and their default configuration.

 

Option Default

Description

name .ASPXAUTH

The name of the HTTP cookie to use for authentication. If multiple applications are running on the same web server, you should give each application’s security cookie a unique name.

loginUrl login.aspx

Defines which page the user should be redirected to in order to log into the application. This could be a page in the root folder of the application, or it could be in a subdirectory.

timeout 30

The number of minutes before the authentication cookie expires. ASP.NET will refresh the cookie when it receives a request, as long as half of the cookie’s lifetime has expired. The expiry of cookies is a significant concern. If cookies expire too often, users will have to log in often, and the usability of your application may suffer. If they expire too seldom, you run a greater risk of cookies being stolen and misused.

slidingExpiration true

This attribute enables or disables sliding expiration of the authentication cookie. If enabled, the expiration of an authentication cookie will be reset by the runtime with every request a user submits to the page. This means with every request the expiration of the cookie will be extended.

cookieless UseDeviceProfile

Allows you to specify whether the runtime uses cookies for sending the forms authentication ticket to the client. Possible options are AutoDetect, UseCookies, UseUri, and UseDeviceProfile.

protection All

Allows you to specify the level of protection for the authentication cookie. The option All encrypts and signs the authentication cookie. Other possible options are None, Encryption (encrypts only), and Validation (signs only).

requireSSL false

If set to true, this property has the effect that the browser simply doesn’t transmit the cookie if SSL is not enabled on the web server. Therefore, forms authentication will not work in this case if SSL is not activated on the web server.

enableCrossAppRedirects false

Enables cross-application redirects when using forms authentication for different applications on your server. Of course, this makes sense only if both applications rely on the same credential store and use the same set of users and roles.

defaultUrl default.apsx

If the FormsAuthenticationModule redirects a request from the user to the login page, it includes the originally requested page when calling the login page. Therefore, when returning from the login page, the module can use this URL for a redirect after the credentials have been validated successfully. But what if the user browses to the login page directly? This option specifies the page to redirect to if the user accesses the login page directly by typing its URL into the address bar of the browser.

domain <empty string>

Specifies the domain for which this cookie is valid. Overriding this property is useful if you want to enable the cookie to be used for more applications on your web server.

path /

The path for cookies issued by the application. The default value (/) is recommended, because case mismatches can prevent the cookie from being sent with a request.