Click here to Skip to main content
Click here to Skip to main content

ASP.NET Authentication Management

, 30 Apr 2014 CPOL
Rate this:
Please Sign up or sign in to vote.
Describes authentication management using cookies

Introduction

This tip explains how forms authentication works through cookies using Microsoft ASP.NET framework.

Using the Code

ASP.NET framework maintains user authentication directly through cookies so that we don’t have to worry about coding that piece into our web application.

Once a user is successfully authenticated through a membership provider, ASP.NET framework provides the Membership class to fetch information related to that user. For instance, in any page, calling the Membership.GetUser() would yield the logged in user object. But server is stateless. So how can ASP.NET framework maintain the client identity. For that, ASP.NET framework uses the .ASPXAUTH cookie.

When the client enters his credentials and submits the login page, the request goes to the server which authenticates the client through a membership provider. Upon successful authentication, ASP.NET framework creates the membership user and sends the encrypted .ASPXAUTH cookie along with the response. The timeout of that cookie is the same as the session timeout. This cookie is not deleted if the client browser is closed. As a result, the browser adds this cookie in all the subsequent requests irrespective of whether the browser was closed or not as long as the cookie is active. The server would read this cookie from the request and identify the user as authenticated by setting the below variable to true.

Request.IsAuthenticated

That is why in ASP.NET applications, after login, even if the browser is closed, reopening the browser and directing to a secure page would not ask you for your password because the .ASPXAUTH cookie would still exist in the request as long as the session does not timeout.

Once the cookie expires, the next request from the client would not contain that cookie. As a result, server will treat it as a new request thereby setting Request.IsAuthenticated to false. The Membership.GetUser() would be null and the request would return the login page in response, even though the request was made to a secure page. Again, the client would enter credentials and submit the login page and upon authentication, a new .ASPXAUTH cookie would be generated and sent with the response. However, there can be a possibility where the request is authenticated, i.e., the cookie was sent, but the user in Membership is not there because the session already expired. To handle that, we would need to add the following method in global.asax.

protected void Application_AuthenticateRequest(object sender,EventArgs e)
{
    if (Request.IsAuthenticated && Membership.GetUser() == null)
    {
        if (HttpContext.Current != null &&HttpContext.Current.Session != null)
        {
            HttpContext.Current.Session.Abandon();
        }
        Response.Cookies.Clear();
        FormsAuthentication.SignOut();
        Response.Redirect(Constants.Pages.Login);
    }
} 

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Sajid Qayyum

United States United States
No Biography provided

Comments and Discussions

 
GeneralMy vote of 1 PinprofessionalSunasara Imdadhusen1-May-14 1:16 
GeneralMy vote of 5 PinmemberHumayun Kabir Mamun30-Apr-14 21:27 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.150327.1 | Last Updated 30 Apr 2014
Article Copyright 2014 by Sajid Qayyum
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid