Click here to Skip to main content
15,867,594 members
Articles / Security
Tip/Trick

ASP.NET Authentication Management

Rate me:
Please Sign up or sign in to vote.
2.60/5 (4 votes)
30 Apr 2014CPOL2 min read 12.5K   8   2
Describes authentication management using cookies

Introduction

This tip explains how forms authentication works through cookies using Microsoft ASP.NET framework.

Using the Code

ASP.NET framework maintains user authentication directly through cookies so that we don’t have to worry about coding that piece into our web application.

Once a user is successfully authenticated through a membership provider, ASP.NET framework provides the Membership class to fetch information related to that user. For instance, in any page, calling the Membership.GetUser() would yield the logged in user object. But server is stateless. So how can ASP.NET framework maintain the client identity. For that, ASP.NET framework uses the .ASPXAUTH cookie.

When the client enters his credentials and submits the login page, the request goes to the server which authenticates the client through a membership provider. Upon successful authentication, ASP.NET framework creates the membership user and sends the encrypted .ASPXAUTH cookie along with the response. The timeout of that cookie is the same as the session timeout. This cookie is not deleted if the client browser is closed. As a result, the browser adds this cookie in all the subsequent requests irrespective of whether the browser was closed or not as long as the cookie is active. The server would read this cookie from the request and identify the user as authenticated by setting the below variable to true.

C#
Request.IsAuthenticated

That is why in ASP.NET applications, after login, even if the browser is closed, reopening the browser and directing to a secure page would not ask you for your password because the .ASPXAUTH cookie would still exist in the request as long as the session does not timeout.

Once the cookie expires, the next request from the client would not contain that cookie. As a result, server will treat it as a new request thereby setting Request.IsAuthenticated to false. The Membership.GetUser() would be null and the request would return the login page in response, even though the request was made to a secure page. Again, the client would enter credentials and submit the login page and upon authentication, a new .ASPXAUTH cookie would be generated and sent with the response. However, there can be a possibility where the request is authenticated, i.e., the cookie was sent, but the user in Membership is not there because the session already expired. To handle that, we would need to add the following method in global.asax.

C#
protected void Application_AuthenticateRequest(object sender,EventArgs e)
{
    if (Request.IsAuthenticated && Membership.GetUser() == null)
    {
        if (HttpContext.Current != null &&HttpContext.Current.Session != null)
        {
            HttpContext.Current.Session.Abandon();
        }
        Response.Cookies.Clear();
        FormsAuthentication.SignOut();
        Response.Redirect(Constants.Pages.Login);
    }
} 

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
United States United States
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
GeneralMy vote of 1 Pin
Sunasara Imdadhusen1-May-14 0:16
professionalSunasara Imdadhusen1-May-14 0:16 
GeneralMy vote of 5 Pin
Humayun Kabir Mamun30-Apr-14 20:27
Humayun Kabir Mamun30-Apr-14 20:27 
Nice

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.