I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Forms Authentication, but how does forms authentication work in the background?

With the help of a good article, this is how I understand the process (assuming that the user's browser has cookies enabled)...
  1. User tries to access restricted page.
  2. Server looks for ASPXAuth cookie in the request but does not find it.
  1. Server redirects user to Login page as configured in web.config.
  1. User enters username and password and posts to the server.
  2. Server authenticates username and password against store. If valid...
  3. Server sets the Forms Authentication Ticket.
  1. The ticket contains (among other things) the userName, IsPersistent and the ExpirationDate.
  2. The ticket is encrypted and signed using keys from the <machineKey> configuration element (either from web.config or from machine.config)
  3. The ticket is stored in a cookie called ASPXAuth, or in the user's URL.
  1. Server redirects user back to the referring URL.
  2. User's browser requests original restricted page again. This time with the ASPXAuth cookie in the request.
  3. Server looks for ASPXAuth cookie and finds it.
  4. Server decrypts Forms Authentication Ticket  found in the cookie.
  5. Server checks expiration on ticket. If this is still valid...
  6. Server now knows that the user is authenticated and knows the UserName. From here authorization can take place (i.e. code can call the database and find out if the user has access to specific features on the page)
That seems to make sense. The interesting thing about this process is that Session State is not involved at all.
 
 

How does ASP.NET Forms Authentication really work?的更多相关文章

  1. ASP.NET 4.0 forms authentication issues with IE11

    As I mentioned earlier, solutions that rely on User-Agent sniffing may break, when a new browser or ...

  2. Forms Authentication in ASP.NET MVC 4

    原文:Forms Authentication in ASP.NET MVC 4 Contents: Introduction Implement a custom membership provid ...

  3. ASP.NET Session and Forms Authentication and Session Fixation

    https://peterwong.net/blog/asp-net-session-and-forms-authentication/ The title can be misleading, be ...

  4. ASP.NET Forms 身份验证

    ASP.NET Forms 身份验证 在开发过程中,我们需要做的事情包括: 1. 在 web.config 中设置 Forms 身份验证相关参数.2. 创建登录页. 登录页中的操作包括: 1. 验证用 ...

  5. Nancy之Forms authentication的简单使用

    一.前言 想必大家或多或少都听过微软推出的ASP.NET Identity技术,可以简单的认为就是一种授权的实现 很巧的是,Nancy中也有与之相类似的技术Authentication,这两者之间都用 ...

  6. 细说ASP.NET Forms身份认证

    阅读目录 开始 ASP.NET身份认证基础 ASP.NET身份认证过程 如何实现登录与注销 保护受限制的页面 登录页不能正常显示的问题 认识Forms身份认证 理解Forms身份认证 实现自定义的身份 ...

  7. 简单的ASP.NET Forms身份认证

    读了几篇牛人的此方面的文章,自己也动手做了一下,就想有必要总结一下.当然我的文章质量自然不能与人家相比,只是写给从没有接触过这个知识点的朋友. 网站的身份认证我以前只知道session,偶然发现一些牛 ...

  8. IE11下ASP.NET Forms身份认证无法保存Cookie的问题

    IE11下ASP.NET Forms身份认证无法保存Cookie的问题 折腾了三四天,今天才找到资料,解决了. 以下会转贴,还没来得及深究,先放着,有空再学习下. ASP.NET中使用Forms身份认 ...

  9. ASP.NET Forms身份认证

    asp.net程序开发,用户根据角色访问对应页面以及功能. 项目结构如下图: 根目录 Web.config 代码: <?xml version="1.0" encoding= ...

随机推荐

  1. LintCode 53---翻转字符串中的单词

    public class Solution { /* * @param s: A string * @return: A string */ public static String reverseW ...

  2. Javascript问题集锦

    1.Date.parse()函数兼容性问题:   IE Chrome Firefox Date.parse("07-17-2019") 1563292800000 15632928 ...

  3. 无线传输模块HC-12

    无线传输模块HC-12使用 因为实验室的无人机需要使用一款无线传输模块进行遥控控制,我们讨论的中测试了HC-12,并对HC-12传输距离进行了简单测试.在此做下使用记录. 模块概述 HC-12 无线串 ...

  4. Python两个内置函数locals 和globals

    这两个函数主要提供,基于字典的访问局部和全局变量的方式.在理解这两个函数时,首先来理解一下python中的名字空间概念.Python使用叫做名字空间的东西来记录变量的轨迹.名字空间只是一个字典,它的键 ...

  5. 11、Nginx反向代理服务

    1Nginx代理服务基本概述 1.代理一词并不陌生, 该服务我们常常用到如(代理理财.代理租房.代理收货等等),如下图所示 2.在没有代理模式的情况下,客户端和Nginx服务端,都是客户端直接请求服务 ...

  6. 1.SpringBoot整合Mybatis(CRUD的实现)

    准备工具:IDEA  jdk1.8 Navicat for MySQL Postman 一.新建Project 选择依赖:mybatis  Web  Mysql  JDBC 项目结构 pom依赖: & ...

  7. windows删除已注册服务

    背景:近日,想要学习mysql主从复制,于是想在本地用多个mysql实例进行试验,试验的过程中总是挫折不断,生手不易,安装了很多实例,测试完成之后,想要删除这些实例. 虽然任务管理器可以停止任务,但是 ...

  8. (转) Apache Shiro 使用手册(三)Shiro 授权

    解惑之处: 使用冒号分隔的权限表达式是org.apache.shiro.authz.permission.WildcardPermission 默认支持的实现方式. 这里分别代表了 资源类型:操作:资 ...

  9. Oracle批量导出表数据到CSV文件

    需求:把oracle数据库中符合条件的n多表,导出成csv文本文件,并以表名.csv为文件名存放. 实现:通过存储过程中utl_file函数来实现.导出的csv文件放入提前创建好的directory中 ...

  10. 更优雅地关闭资源 - try-with-resource

    https://www.cnblogs.com/hihtml5/p/6505317.html