This tip explains how forms authentication works through cookies using Microsoft ASP.NET framework.
Using the Code
ASP.NET framework maintains user authentication directly through cookies so that we don’t have to worry about coding that piece into our web application.
Once a user is successfully authenticated through a membership provider, ASP.NET framework provides the
Membership class to fetch information related to that user. For instance, in any page, calling the
Membership.GetUser() would yield the logged in user object. But server is stateless. So how can ASP.NET framework maintain the client identity. For that, ASP.NET framework uses the
When the client enters his credentials and submits the login page, the request goes to the server which authenticates the client through a membership provider. Upon successful authentication, ASP.NET framework creates the membership user and sends the encrypted
.ASPXAUTH cookie along with the response. The timeout of that cookie is the same as the session timeout. This cookie is not deleted if the client browser is closed. As a result, the browser adds this cookie in all the subsequent requests irrespective of whether the browser was closed or not as long as the cookie is active. The server would read this cookie from the request and identify the user as authenticated by setting the below variable to
That is why in ASP.NET applications, after login, even if the browser is closed, reopening the browser and directing to a secure page would not ask you for your password because the
.ASPXAUTH cookie would still exist in the request as long as the session does not timeout.
Once the cookie expires, the next request from the client would not contain that cookie. As a result, server will treat it as a new request thereby setting
Membership.GetUser() would be
null and the request would return the login page in response, even though the request was made to a secure page. Again, the client would enter credentials and submit the login page and upon authentication, a new
.ASPXAUTH cookie would be generated and sent with the response. However, there can be a possibility where the request is authenticated, i.e., the cookie was sent, but the user in
Membership is not there because the session already expired. To handle that, we would need to add the following method in global.asax.
protected void Application_AuthenticateRequest(object sender,EventArgs e)
if (Request.IsAuthenticated && Membership.GetUser() == null)
if (HttpContext.Current != null &&HttpContext.Current.Session != null)