Click here to Skip to main content
Click here to Skip to main content
Articles » Web Development » ASP.NET » General » Downloads
 
Add your own
alternative version

The Anatomy of Forms Authentication

, 14 Mar 2008 CPOL
In this article, I will attempt explain in “gory” technical details how Forms Authentication works
CsharpSample.zip
GSS.Web.Security
bin
Debug
GSS.Web.Security.dll
GSS.Web.Security.pdb
obj
Debug
GSS.Web.Security.dll
GSS.Web.Security.pdb
Refactor
GSS.Web.Security.dll
TempPE
Properties
Settings.settings
using System;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;

namespace GSS.Web.Security
{
    class FormsAuthConfig
    {
        private byte[] _validationKey = null;
        private byte[] _encryptionKey = null;
        public string _encryptionAlgorithm = string.Empty;
        public string _hmacHashAlgorithm = string.Empty;
        public string _defaultPage = string.Empty;
        public string _logonPage = string.Empty;
        public int _cookieTimeOut = -1;
        private string _logPath = string.Empty;

        public int CookieTimeOut
        {
            get { return _cookieTimeOut; }
        }
        public string LogonPage
        {
            get { return _logonPage; }
        }
        public string DefaultPage
        {
            get { return _defaultPage; }
        }
        public string LogPath
        {
            get { return _logPath; }
        }
        public FormsAuthConfig()
        {
            try
            {
                _validationKey = Utils.HexStringToByteArray(Properties.Settings.Default.ValidationKey);
                _encryptionKey = Utils.HexStringToByteArray(Properties.Settings.Default.EncryptionKey);
                _encryptionAlgorithm = Properties.Settings.Default.EncryptionAlg;
                _hmacHashAlgorithm = Properties.Settings.Default.HmacAlg;
                _defaultPage = Properties.Settings.Default.DefaultPage;
                _logonPage = Properties.Settings.Default.LogonPage;
                _cookieTimeOut = Properties.Settings.Default.CookieTimeOut;
                _logPath = Properties.Settings.Default.LogPath;
            }
            catch { throw; }
        }
        /// <summary>
        /// Get the appropriate cryptographic transform based on the configuration settings
        /// </summary>
        /// <param name="forDecryption">true if transform is going to be used for decryption, false if for encryption</param>
        /// <returns>ICryptoTransform or throw an exception</returns>
        public ICryptoTransform GetTransform(bool forDecryption)
        {
            try
            {
                ICryptoTransform transform;
                switch (_encryptionAlgorithm)
                {
                    case "AES":
                        RijndaelManaged aes = new RijndaelManaged();
                        aes.Key = _encryptionKey;
                        aes.GenerateIV();
                        aes.IV = new byte[aes.IV.Length];
                        if (forDecryption)
                            transform = aes.CreateDecryptor();
                        else
                            transform = aes.CreateEncryptor();
                        break;
                    case "3DES":
                        TripleDESCryptoServiceProvider des = new TripleDESCryptoServiceProvider();
                        des.Key = _encryptionKey;
                        des.GenerateIV();
                        des.IV = new byte[des.IV.Length];
                        if (forDecryption)
                            transform = des.CreateDecryptor();
                        else
                            transform = des.CreateEncryptor();
                        break;
                    default:
                        throw new ApplicationException("Configuration Invalid");

                }
                return transform;
            }
            catch { throw; }
        }
        /// <summary>
        /// Computes the Hmac signature based on the configuration settings
        /// </summary>
        /// <param name="bytes">the btyes to sign</param>
        /// <returns></returns>
        public byte[] ComputeHash(byte[] bytes)
        {
            try
            {
                switch (_hmacHashAlgorithm)
                {
                    case "SHA1":
                        HMACSHA1 hashSha = new HMACSHA1(_validationKey);
                        byte[] ret = hashSha.ComputeHash(bytes);
                        return ret;
                    case "3DES":
                        HMACMD5 hashMd = new HMACMD5(_validationKey);
                        return hashMd.ComputeHash(bytes);
                    default:
                        throw new ApplicationException("Configuration Invalid");
                }
            }
            catch { throw; }
        }
        /// <summary>
        /// Computes the Hmac signature based on the configuration settings
        /// </summary>
        /// <param name="bytes">bytes to sign</param>
        /// <param name="offSet">the offset</param>
        /// <param name="count">the count</param>
        /// <returns></returns>
        public byte[] ComputeHash(byte[] bytes, int offSet, int count)
        {
             try
            {
                switch (_hmacHashAlgorithm)
                {
                    case "SHA1":
                        HMACSHA1 hashSha = new HMACSHA1(_validationKey);
                        byte[] ret = hashSha.ComputeHash(bytes, offSet, count);
                        return ret;
                    case "3DES":
                        HMACMD5 hashMd = new HMACMD5(_validationKey);
                        return hashMd.ComputeHash(bytes, offSet, count);
                    default:
                        throw new ApplicationException("Configuration Invalid");
                }
            }
            catch { throw; }
        }
    }
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Jarrad Winter

United States United States
No Biography provided

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.141223.1 | Last Updated 14 Mar 2008
Article Copyright 2006 by Jarrad Winter
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid