This post basically explains how an authentication can happen at the IIS level.
It all happened when I interviewed a guy with quite a good amount of experience, I then noted that many experienced guys lacked the so called basics. I remember asking him this question; “I would want to authenticate the user as a valid user even before the request hits the page, I don't want to use Forms or Windows authentication”. The answer I got back was terrible – the candidate replied saying the check can be done at either
In my post http://bloggingbunk.com/2011/07/net-in-depth-understanding-request-life-cycle/, I discussed about 2 main elements:
For any request, the IIS first calls the
HttpModule then the
HttpHandler then the
Page and then the
In your project, while designing on the asp pages, create a class which will inherit
iHttpModule. This class will implement all the methods of
HttpModule. Now put your authentication code at
BeginRequest. For e.g., say your project stores important data persisted in cookies; send the cookie information alongside of the request. The following figure depicts how your request will fetch the page. The pipe represents the
HttpModule and the
Now, these checks that you see can be a call to the DB or to any authentication system or even to an Access Control Policy routine.
HttpModules being handy, we have the leverage to do anything before the request hits the page.
This goes on to say that while the page life cycle is complete-
HttpModule can also help us in doing any operation under
EndRequest; it can be a check for the response or anything.
You can have more security in place if you can leverage
EndRequest along with
Basically to sum it up - this methodology gracefully carries our pipeline pattern. Hope you understood the Authentication at IIS. Please shoot your questions as comments and I will reply.