Click here to Skip to main content
13,829,403 members
Click here to Skip to main content
Add your own
alternative version


66 bookmarked
Posted 28 May 2004

Extending Forms Authentication - Windows or Custom Authentication

, 28 May 2004
Rate this:
Please Sign up or sign in to vote.
Combines Forms Authentication with Windows or Custom Authenticator.

Sample Image - screenshot.jpg

A working demo of this code can be found here. This only uses the Custom authentication. However, the demo allows you to simply move to Windows authentication.


I've been developing a website where I wanted to use Windows authentication but had to cater for browsers that didn't support it. I looked for a possible solution and realized that you could merge Forms and Windows authentication. However, I didn't find a solution that fully met my needs, so I decided to develop my own solution.

How it works


The XML code below is placed in the project's web.config file. This is the standard method of configuring the project for Forms authentication.

<authentication mode="Forms">
      <forms name="forms" loginUrl="login.aspx" timeout="15"></forms>

To set the permissions of a sub directory or file within the web project, the authorization information is enclosed within location tags. The example below is the code used within the demo project supplied. It sets the authorization for the 3 private pages denying all users except for those who are grouped within the stated roles. You can also specify individual users by using the name attribute.

<location path="Private1.aspx">
                  <allow roles="low, medium, high" />
                  <deny users="*" />
<location path="Private2.aspx">
                  <allow roles="medium, high" />
                  <deny users="*" />
<location path="Private3.aspx">
                  <allow roles="high" />
                  <deny users="*" />


All authenticators must implement the IUserAuthenticator interface in order to be used by the solution. A base authenticator class is implemented and the WindowsUserAuthenticator is also implemented. All you have to do is extend these classes and add your custom authentication and roles, or if you are using Windows authentication, just add your custom roles. In order to allow the Windows authenticated code to have custom roles, the WindowsPrincipal object is extended and a StringCollection is used to hold the roles.

public interface IUserAuthenticator
    UserAuthenticationData Authenticate(string username, string password); 
    UserAuthenticationData Authenticate(string username, 
                                          string password, string domain); 
    void AddRoles(UserAuthenticationData uad); 
    string Type{get;}

The Authenticate method returns a UserAuthenticationData object which holds all the required data to re-authenticate the user on the next server round trip. This includes:

  • Name
  • Domain
  • Custom Roles
  • If the user is successfully authenticated
  • If Windows authentication is being used
  • User's Windows authentication token

This UserAuthenticationData is serialized and saved within the Forms cookie.


Within the project's Gobal.asax FormsAuthentication_Authenticate or Application_AuthenticateRequest methods, the following line of code is required to re-authenticate the user.


If Windows authentication is used, a new identity is created from the UserAuthenticationData token value, and if custom authentication is used then a generic identity is created. The custom roles are also added at this stage.

Code access

As well as restricting access to locations within the web project, this method also allows you to place access security on methods or classes. The demo code below only allows those users that meet the requirements in terms of username or roles to access the method. If the user is not authorized then a SecurityException is thrown.

[PrincipalPermissionAttribute(SecurityAction.Demand, Role="low")]
public static int Do1()
      return 1;
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="medium")]
public static int Do2()
      return 2;
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="high")]
public static int Do3()
      return 3;
[PrincipalPermissionAttribute(SecurityAction.Demand, Name=@"domain\user")]
public static int DoWinUser()
      return 4;

Update - 30 May 2004

The code now uses a dummy cookie to the timeout value. Removes need for extra appSetting in web.config file.

FormsAuthentication.SetAuthCookie("get_timeout", true);
DateTime expires = 
  FormsAuthentication.GetAuthCookie("get_timeout", true).Expires;

The timeout is placed as you would normally do with Forms authentication - within the forms tag.

<authentication mode="Forms">
      <forms name="forms" loginUrl="login.aspx" timeout="15"></forms>



This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Web Developer
United Kingdom United Kingdom
I'm a 3rd year student at Uni studing Computing. I've been coding in VB for about 6 years, Java for about 3 and C# for about 2 years.

You may also be interested in...

Comments and Discussions

Generalbuilding solution Pin
imohammed7867-Apr-05 17:40
memberimohammed7867-Apr-05 17:40 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web03 | 2.8.190114.1 | Last Updated 29 May 2004
Article Copyright 2004 by McGiv
Everything else Copyright © CodeProject, 1999-2019
Layout: fixed | fluid