Click here to Skip to main content
14,388,831 members

ASP.NET Authentication Management

Rate this:
2.60 (4 votes)
Please Sign up or sign in to vote.
2.60 (4 votes)
30 Apr 2014CPOL
Describes authentication management using cookies


This tip explains how forms authentication works through cookies using Microsoft ASP.NET framework.

Using the Code

ASP.NET framework maintains user authentication directly through cookies so that we don’t have to worry about coding that piece into our web application.

Once a user is successfully authenticated through a membership provider, ASP.NET framework provides the Membership class to fetch information related to that user. For instance, in any page, calling the Membership.GetUser() would yield the logged in user object. But server is stateless. So how can ASP.NET framework maintain the client identity. For that, ASP.NET framework uses the .ASPXAUTH cookie.

When the client enters his credentials and submits the login page, the request goes to the server which authenticates the client through a membership provider. Upon successful authentication, ASP.NET framework creates the membership user and sends the encrypted .ASPXAUTH cookie along with the response. The timeout of that cookie is the same as the session timeout. This cookie is not deleted if the client browser is closed. As a result, the browser adds this cookie in all the subsequent requests irrespective of whether the browser was closed or not as long as the cookie is active. The server would read this cookie from the request and identify the user as authenticated by setting the below variable to true.


That is why in ASP.NET applications, after login, even if the browser is closed, reopening the browser and directing to a secure page would not ask you for your password because the .ASPXAUTH cookie would still exist in the request as long as the session does not timeout.

Once the cookie expires, the next request from the client would not contain that cookie. As a result, server will treat it as a new request thereby setting Request.IsAuthenticated to false. The Membership.GetUser() would be null and the request would return the login page in response, even though the request was made to a secure page. Again, the client would enter credentials and submit the login page and upon authentication, a new .ASPXAUTH cookie would be generated and sent with the response. However, there can be a possibility where the request is authenticated, i.e., the cookie was sent, but the user in Membership is not there because the session already expired. To handle that, we would need to add the following method in global.asax.

protected void Application_AuthenticateRequest(object sender,EventArgs e)
    if (Request.IsAuthenticated && Membership.GetUser() == null)
        if (HttpContext.Current != null &&HttpContext.Current.Session != null)


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Sajid Qayyum
United States United States
No Biography provided

Comments and Discussions

GeneralMy vote of 1 Pin
Sunasara Imdadhusen1-May-14 1:16
professionalSunasara Imdadhusen1-May-14 1:16 
GeneralMy vote of 5 Pin
Humayun Kabir Mamun30-Apr-14 21:27
MemberHumayun Kabir Mamun30-Apr-14 21:27 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Posted 30 Apr 2014


7 bookmarked