trying to understand how Authentication works...

Hi dear All,

I feel like I am lost in all these authentication layers, components and providers. Need help to understand it from the bottom. Here are my questions:

1) When we restrict access to files via web.config

<deny users="?" />

what indicates to IIS that a user is authenticated or not? Is it  System.Web.HttpContext.Current.User.Identity.IsAuthenticated property? Or something else?

Say, if I need to do my completely custom authentication, at the end I need just to set or reset that property? (how to reset it btw?)

How authentication ticket works with all this?


2) MembershipProvider is meant to be used mainly with asp Logon control, correct?

That's why if one wants to keep that standard logon control and use custom authentication, he/she just implements custom membership provider and adds it to the list of providers in web.config, right?...

Hence if I do not use asp logon control, there is no much help of custom Membership Provider?


3) if MembershipProvider is used for asp logon control(s), then what FormsAuthentication is meant for? Are they on different levels of abstraction? :)


Reading of FormsAuthentication Explained gives an impression that FormsAuthentication is they key element in all this story, and Membership class is just another helper to figure out if a user can be granted those access rights...


A typical example of user authentication is this line

   If (Membership.ValidateUser(UsernameTextbox.Text, PasswordTextbox.Text))
FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked);

Does RedirectFromLoginPage() sets internally a flag that the user is authenticated?... It's not obvious.

And ValidateUser can be any other method I may need, right? 



I am just trying to separate the authentication mechanism itself from higher level wrappers, helpers and providers...





11/15/2007 3:40:04 PM 27051 articles. 1 followers. Follow

4 Replies

Similar Articles

[PageSpeed] 12

Finding some answers meanwhile:

The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. You should allow forms authentication to manage these tasks for you.

The FormsAuthentication class creates the authentication cookie automatically when the FormsAuthentication.SetAuthCookie or FormsAuthentication.RedirectFromLoginPage methods are called. 

which makes the picture a little bit clearer. Smile 

11/15/2007 4:50:11 PM

I think if you take a read of the articles at

You should get a good understanding.

Also a great book is

Professional ASP.NET Security, Memerbship and Role Management by Stefan Schackow

 ISBN: 0-7645-9698-5

Hope it helps

If this has helped Please: Don't forget to click "Mark as Answer" on the post that helped you.
That way future readers will know which post solved your issue.
11/15/2007 7:02:17 PM

jeremyh, I also hope that will help.. thank you!

11/15/2007 10:14:54 PM

ok, here are my answers:

  • enable form authentication in web.config.
  • To indicate to ASP.NET that a user is authenticated - call  FormsAuthentication.RedirectFromLoginPage( username, false/true).
  • After that a value System.Web.HttpContext.Current.User.Identity.Name will contain the currently logged user name username.
  • To indicate that user has logged off, call FormsAuthentication.SignOut( )

It so simple. You do not have to use anything else, it's up to you how to figure out if a given user/password are valid credentials, either via standard Membership class or something else.

I must be sounded stupid here in my original post. Sorry about it, guys. And thank you anyways! 




11/16/2007 3:02:58 AM

Similar Artilces:

I am trying to find .NET FrameWork class libraries and ADO.NET libraries maps to hang in my cube at work or at home.
Hello,    I am in search of the .NET Framework 1.x and 2.0 and 3.0 class library maps and ADO.NET class library maps to hang/pin to my cube at work and also at home. I believe that helps understand more about the Framework and also if some thing is presented in a pictorial representation I guess I can learn more than reading whole lot of stuff.   So is there a place on the net or any company that offers this to buy or down load?   Any inputs or help me finding on this is greately appreciated.   Thanks in advance, -L   The Visual Studio magazine use...

trying to understand how an ITemplate works
Hello,  I have been looking on google and around to try to grasp the functionallity of a ITemplate. What i want first of all is that my user (after dragging the control onto an page) fills in some html in a layout field. example:<cc1:EmailControl ID="EmailControl1" runat="server"><EmailOwnerLayout>This email was sent on <b>{sent}</b> from <b>{name}</b> (<b>{email}</b>).<br /><br />{message}</EmailOwnerLayout></cc1:EmailControl> When he then clicks on send, i want to get that html code...

trying to Understand how tracing works
i  turned on the tracing for my App to catch exceptions in production.but  when i tested it in UAT by browsing trace.axd, i  understood that it trace all the pages which were browsed before. and it can hold atmost 50 requests. i  am just wondering,i  am intersted in tracing only those pages which raised exceptions. what if a page raised exception and there are more that 50 requests after that,then the one with exceptions will get erased. am i using the trace properly?.  or what is the best way to catch exceptions on production environment(for a web app...

New Security Tool for .NET Authentication
Hi, Here Piseth, Introduce you a new tool new most Valuable tool for .NET Authentication and Security. Authentication Made easy, no code required. MVPD - Visual Guard, Simple Steps, Hight Security and Authentications Levels  Also you can Check out the Post Review of Most Valuable Products foe Developer ( MVPD )   Thanks...

Trying to get to work
Hi,I'm using Visual Studio 2005 and trying to get to work with it (I'm using Oracle 10g) When I create a new connection, I could choose from the following (I omitted the obvious choices that I won't select like SQL server, access, etc.)Oracle Database<other>  Which should I select? Then what should I select in the "Data Provider" drop down?There are not any selections. What can I have wrong. I have added Oracle.DataAccess as a reference for my project but am not sure how to verify it. Thanks for any help Carl ...

Trying to understanding form based authentication
I am using this example Looking at this example or any form based authentication what tells the web site that the user has been authenticated? I ask because with my code I navigate to the default page. I am redirected to the login page. I enter my credentials and am authenticated and sent to the requested page. Now I want to go to another page in the site. What tells IIS7 that I do not have to be authenticated again for this new page? That is my problem I think. I can authenticate the user but every page I naviagte to forces me to authenticate the ...

Trying to get Linux authentication to work
Hi all, I have Linux authentication working through LDAP. The problem is the homDirectory attribute. When I specify a home directory in the UNIX Profile snap in, it overloads the LDAP attribute with "Home Directory" from the Environment tab and "Home Directory" in the UNIX Profile tab, like so homeDirectory: cn=My_Cluster,ou=tech,o=myCompany#0#USERS\superwashu /home/superwashu I haven't been able to figure out how to get my clients to read the second attribute. I don't know if it's even possible with the linux ldap client. I've tried exp...

Trying to come to an understanding about AD authentication.
I have a site that I'm creating that uses authentication against AD. Now the process is that the user logs in and the site authenticates with AD and then creates a authentication cookie. The problem I have been having is that is the session is aborted incorrectly (Crashed) the cookie is not deleted and the user cannot log back in until the cookie is manually deleted. This is the first method I was able to get working but I'm wondering if there is a better way so that the user is not left hanging if the browser or PC crash or they do not log off correctly. Is it possible to just aut...

secure pages lose authentication, is there a work-around?
Some pages on the site have to be run under a secure certificate. Of course as soon as I go from a 'normal' page to a secure one ( --> I loose the cookie, the authentication and everything because I am acutally changing sites (just to let you know that I know that) Am I going to have to write my own routines to authenticate ... I've solved this before 2.0 with carring things around in a querystring ... and of course this still works. But is there a way to retain authentication between the two states (unauthenticat...

Secure Excel Files with Forms Authentication Only Works Once
I have been stuck on this problem for a couple of days now and can't seem to find anyone with the same problem. I have a secure directory that has Excel files that I want only certain people to have access to. Because Forms authentication only secures .NET files I added the .xls File Extension in my App Mappings to the aspnet_isapi.dll in iis. This seemed to work because my login page properly displayed when I tried to access one of the Excel files. However, I noticed that as long as the file is stored in my Temporary Internet Files, I am not required to login again even though my Tick...

Trying to get .NET app (Duwamish) working...
Hi all, I need some help getting Duwamish (7.1) working. I've done the following: installed IIS and Visual Studio .NET configured ISS to use SDK (aspnet_regiis.exe -i) - thanks Xanderno! installed MSSQL 2000, tested the connection So here are the symptoms: http://localhost:888/Duwamish does load BUT category links on the left hand side link to http://localhost/Duwamish/... without the port no. Now some links point to the right host; this is a little odd to me (I'd expect all relative links to point to the host w/o proper port if it were a standard con...

Type.GetType does not work in VB.NET but works in C#. VB.NET gurus Please help
Friends,   I am an experienced C# programmer who is working on a VB.NET project now. I am writing different methods covering the following functionalities 1) Take a datareader as input and return an arraylist of class object2) Take an xmlnode (received from a webservice) as input and return an arraylist of class object. The methods are generic methods which take datareader/xmlnode as first parameter and classname (string) as the second parameter. This way it will work trivially. The schema of class object matches with the input (datareader or xmlnode)In C# I used to do th...

Trying to work with Site-Map Security Trimming
I have created a website with ASP.NET that [now] has separate folders that has .aspx forms that I want to segment by levels of authorization. I followed the 'How Site-Map Security Trimming Works and I've added the following code to my web.config file: <siteMap defaultProvider="default"><providers> <clear /> <add name="default" type="System.Web.XmlSiteMapProvider" siteMapFile="web.sitemap"securityTrimmingEnabled="true" /> </providers> </siteMap> I have created Roles for each group and have tu...

I have no idea how security works in .net, could someone explain me?
Hi, I had experience developing an e-commerce website, but its just a school project, so I have no idea how big is the difference between school projects and real-world projects. Now I am developing a real-world ecommerce website, which even make me confuse. What I like to do is to create a user area. In classic asp, what I need to do is to write a boolean to a cookie if the user has entered the username and the password correctly, and add some script to those member pages to detect the if cookie. If it is not a sucessful login, the script will redirect the end user to the login page. ...

Need help working around .NET security
I have problems with .NET security blocking the network programs I create.  If I use caspol to give full trust to the internet zone, then everything works fine.  I know I can use the Strong Name utility to create a strong name and add it to all my assemblies, but I would like an easier way.  Is it possible to disable .net security within my program and then re-enable it before closing the program?  I'm the network admin and I run apps that fix problems, or change account passwords, etc.  I have been told that some people will create an application in a p...

Help me understand how to work with the various .net versions
 I am using Visual Web Developer 2008 Express Edition.  As I understand it, this program is designed to work with .net 3.5.My web hosting service supports .net 2.0.  I assume this means that a program I create on my PC may not run on my web site.  How do I know what will work and what won't on a specific version before I spend time developing it?  Are there certain controls that I should avoid, like LinqDataSource, if the program is going on my web site?  Thanks.   Create 3.5 site, right click on it in solution explorer, choose Properties and cha...

ODP.NET:Windows Authentication is not working. Pls help.
I am working on VS.NET 2003 envt on a web application in C#.NET and trying to connect to Oracle 9i database. Because this appln is to be used in an intranet, hence OS authentication is to be used. The following connection string works fine for me and connects properly to the database;OracleConnection con = new OracleConnection();con.ConnectionString = "User Id=temp_userID;Password=temp_pwd;Data Source = oracle_serverName;";con.Open();where 'user id' and 'password' are present in the 'sys_userinfo' table.Now when I connect to the oracle server thru SQL* PLUS, giving just "/" as the user-id (t...

Trying to set up security for web site for user authentication and creation...
I'm having a few problems and was hoping you guys might be able to help me out and point me in the right direction.I'm trying to set up my website for use of web forms using the new security and authentication features included in 2.0+.  However, despite following 2 different guides and a book on setting up my web site for using this, I keep running into a snag at the same part and can't figure out what's going on.I'm having some problems trying to set up my server to use the membership services and authentication built in to 2.0. I tried a guide f...

Newbie Needs Help: Trying to understand wireless network security
I have been reading posts and websites and I feel like I'm getting bits and pieces of the story. I'm trying to understand security over a wireless network. I have read a few people saying that they are confident that they have a secure wireless network. I was wondering if there is a good resource for beginners who would like to set up a secure network. I understand up to using WPA, that disabling SSID doesn't really make a difference and that's about it. I want to also know if one sets up a home network system, will the transmission between the desktop and ...

I am trying to access links off of the web page at the bottom of this email. They work in Internet Explorer just fine. I have tried this on 2 different computers and the links do not work. Why? Tha
I am trying to access links off of the web page at the bottom of this = email. They work in Internet Explorer just fine. I have tried this on 2 = different computers and the links do not work. Why? Thanks. =20 =20 =20 Brenda Sharpmack Watson Chapel School District Technology Coordinator 870 - 879 - 7206 (office) 870 - 556 - 0640 (cell) 870 - 879 - 1710 (fax) ( = ) Brenda Sharpmack said this on 4/3/2009 11:30 AM: > I am trying to access links off of the web page at the bottom of this email. They w...

Trying to get a 2.0 site (with AJAX.NET) working on Server 2000
I recently wrote an application using AJAX.NET (and obvioulsy .NET 2.0).  When I went to publish the site on the server I realized that neither .NET 2.0 or AJAX.NET were installed.   I downloaded both and installed.  Rebooted the server to be sure.   After I created the virtual directory, I went to check the site.  I got a parse error ont he web.config file, immediately I realized that I forgot to set the site to 2.0 from 1.1 (like I do EVERY SINGLE TIME, but that is not here nor there).    The wierd thing is, is that once I switched over to 2.0 when...

.Net security update KB917283) won't install and repeatedly tries
Help - this security update will not install for some reason and continues to try to download and install. How do I kill this inane action? thx -- Lionel B. Dyck <>< AIM ID: lbdyck Homepage I've found that some updates require you to Start > shutdown and reboot your computer before it will finish the install. Torrance Lionel B. Dyck wrote: > Help - this security update will not install for some reason and > continues to try to download and install. > > How do I kill this inane action? > > thx Torran...

Trying to ger HP Service Manager v7.01 to use secure LDAP to authenticate to eDir
Hello: We use secure LDAP to authenticate many clients in our env so we know our certs work. We are trying to get HP Service Manager v 7.01 to authenticate against eDir. without much success. Any ideas as to what the problem might be would help. If secure LDAP was not working many things in our env would have stopped working. Results from DSTRACE on LDAP Server (eDir 8.8 SP2 on NW 6.5 Sp7 14:11:14 96625540 00000000 LDAP: New cleartext connection 0x9b0151c0 from, monitor = 0x921, index = 46 14:11:14 9150E600 00000000 LDAP: Connection 0x9b0151c0 closed 14:12...

Feedback form was working well, suddenly "The SMTP server requires a secure connection or the client was not authenticated."
 Hi..I have this feedback form on my website which works perfectly fine yesterday...however today, it gave me  this error:The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required [SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required. Learn more at ] System.Net.Mail.MailCommand.CheckResponse(SmtpStatusCode statusCode, String response) +881192 System.Net.Mail.MailCommand.Send(Sm...

Web resources about - trying to understand how Authentication works... -

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

New Tools to Optimize App Authentication
At f8, we announced a redesigned Auth Dialog and a new authentication flow to give developers more control over people’s first experience with ...

Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks
... sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.

Sony Authentication Power Outlet Recognizes Users and Devices #DigInfo - YouTube
Sony Authentication Power Outlet Recognizes Users and Devices DigInfo TV - 9/3/2012 NFC & Smart WORLD 2012 Sony Authentication ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Online account security: lazy authentication is still the norm
Even in the high-tech world of 2016, crims will be able to side-step your account security by making a phone call and saying they're you.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

ATO boosts service access via app and voice authentication
The ATO has announced it will extend its voice authentication system to its mobile app

Resources last updated: 2/19/2016 10:46:31 AM