How does ASP.NET Forms Authentication really work?
How does ASP.NET Forms Authentication really work?
I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Forms Authentication, but how does forms authentication work in the background?
- User tries to access restricted page.
- Server looks for ASPXAuth cookie in the request but does not find it.
- Server redirects user to Login page as configured in web.config.
- User enters username and password and posts to the server.
- Server authenticates username and password against store. If valid...
- Server sets the Forms Authentication Ticket.
- The ticket contains (among other things) the userName, IsPersistent and the ExpirationDate.
- The ticket is encrypted and signed using keys from the <machineKey> configuration element (either from web.config or from machine.config)
- The ticket is stored in a cookie called ASPXAuth, or in the user's URL.
- Server redirects user back to the referring URL.
- User's browser requests original restricted page again. This time with the ASPXAuth cookie in the request.
- Server looks for ASPXAuth cookie and finds it.
- Server decrypts Forms Authentication Ticket found in the cookie.
- Server checks expiration on ticket. If this is still valid...
- Server now knows that the user is authenticated and knows the UserName. From here authorization can take place (i.e. code can call the database and find out if the user has access to specific features on the page)
Understanding the Forms Authentication Ticket and Cookie
Introduction
Welcome to the Microsoft ASP.NET Support Voice column! I am Nilay B. Shah with the ASP.NET developer support team. I have been working with ASP.NET support for more than one and a half years. Forms Authentication is really a cool authentication feature. This article covers some issues that users have found confusing with forms authentication, such as the relationship of the forms authentication ticket and the forms authentication cookie and their relevant settings. I would like to thank Jerry Orman, technical lead for the ASP.NET support team, for his incredible help!People sometimes wonder about forms authentication "tickets" and "cookies" because they are closely related. I have come across questions such as these:
I will focus on these two aspects of Forms Authentication in this article to answer the following questions:
- What is forms authentication ticket and forms authentication cookie? How are they related?
- What is the role of a ticket in Forms Authentication?
- How are cookie expiration and ticket expiration related?
- How does sliding expiration work in the context of forms authentication ticket and forms authentication cookie?
- Where can the time-out property of the forms authentication cookie and forms authentication ticket be set?
- Issue scenario: The forms authentication may time out before the timeout attribute value that is set in the configuration file
What is forms authentication ticket and forms authentication cookie? How are they related?
Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.However, if we choose to use cookieless forms authentication, the ticket will be passed in the URL in an encrypted format. Cookieless forms authentication is used because sometimes the client browsers block cookies. This feature is introduced in the Microsoft .NET Framework 2.0.
For more information, visit the following Microsoft Developer Network (MSDN) Web site:
What is the role of a ticket in Forms Authentication?
The forms authentication ticket is used to tell the ASP.NET application who you are. Thus, ticket is building block of Forms Authentication's security.
The ticket is encrypted and signed using the <machineKey> configuration element of the server's Machine.config file. ASP.NET 2.0 uses the decryptionKey and the new decryption attribute of the <machineKey> element to encrypt forms authentication tickets. The decryption
attribute lets you specify the encryption algorithm to use. ASP.NET 1.1
and 1.0 use 3DES encryption, which is not configurable. Tampering with
the ticket value is determined by a failure to decrypt the ticket on the
server. As a result, the user will be redirected to the logon page.
If
the application is deployed in a Web farm, you must make sure that the
configuration files on each server share the same value for the validationKey and decryptionKey attributes in the <machineKey>
tag, which are used for hashing and decryption of the ticket
respectively. You must do this because you cannot guarantee which server
will handle successive requests. For more information about FormsAuthenticationTicket encryption and Web farm deployment considerations, visit the following MSDN Web site:
A walk through of methods to manually generate keys can be found in the following Microsoft Knowledge Base articles:
Forms authentication tickets can be generated manually by using the FormsAuthenticationTicket class. For more information, visit the following MSDN Web site:
How are cookie expiration and ticket expiration related?
In case of non-persistent cookie, if the ticket is expired, cookie will also expire, and the user will be redirected to the logon page.
On the other side, if the ticket is marked as persistent, where the cookie is stored on the client box, browsers can use the same authentication cookie to log on to the Web site any time. However, we can use the FormsAuthentication.SignOut method to delete persistent or non-persistent cookies explicitly.
For more information about the FormsAuthentication.SignOut method, visit the following MSDN Web site:
With cookieless forms authentication, if the browser is closed, the ticket is lost and a new ticket will be generated on the next request.
How does sliding expiration work in the context of forms authentication ticket and forms authentication cookie?
Sliding expiration works exactly the same way!
Let us take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should expire at 5:10 00:00:00 PM if the timeout attribute is 10 and the slidingExpiration
attribute is set to TRUE. Now, if any Web page is browsed again at 5:05
00:00:00 PM, the cookies and ticket time-out period will be reset to
5:15 00:00:00 PM.
Note If the Web
page is accessed before half of the expiration time passes, the ticket
expiration time will not be reset. Fore example, if any Web page is
accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout
period will not be reset.
For more information, visit the following MSDN Web site:
Where can the time-out value of the forms authentication cookie and forms authentication ticket be set?
The only setting that you can make is in the Web.config file or the Machine.config file, in the <forms> tag. This change will determine the time-out period of forms authentication in the context of a ticket or cookie unless the ticket is generated manually.<!--For more information, visit the following MSDN Web site: If the ticket is generated manually by using the FormsAuthenticationTicket class, the time-out can be set through the Expiration attribute. This value will override the timeout attribute value specified in configuration files.
forms Attributes:
name="[cookie name]" - Sets the name of the cookie used for Forms Authentication.
loginUrl="[url]" - Sets the URL to redirect client to for authentication.
protection="[All|None|Encryption|Validation]" - Sets the protection mode for data in cookie.
timeout="[minutes]" - Sets the duration of time for cookie to be valid (reset on each request).
path="/" - Sets the path for the cookie.
requireSSL="[true|false]" - Should the forms authentication cookie be sent only over SSL?
slidingExpiration="[true|false]" - Should the forms authentication cookie and ticket be reissued if they are about to expire?
-->
For more information about FormsAuthenticationTicket members, visit the following MSDN Web site:
Issue scenario: The forms authentication may time out before the timeout attribute value that is set in the configuration file
If the forms authentication ticket is manually generated, the time-out property of the ticket will override the value that is set in the configuration file. Therefore, if that value is less than the value in the configuration file, the forms authentication ticket will expire before the configuration file timeout attribute value and vice-versa. For example, let's assume that the <forms>timeout attribute is set to 30 in the Web.config file and the Expiration value of the ticket is set to 20 minutes. In this case, the forms authentication ticket will expire after 20 minutes and the user will have to log on again after that.Related links
Ask For It form.
相关文章
- ASP .NET CORE MVC 部署Windows 系统上 IIS具体步骤---.Net Core 部署到 IIS位系统中的步骤
- 当前标识(IIS APPPOOL如来官网)没有对“C:WindowsMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Files”的写访问权限。
- 基于ASP.NET WebAPI OWIN实现Self-Host项目实战
- .Net魔法堂:史上最全的ActiveX开发教程——开发篇
- ASP.NET中使用HttpWebRequest调用WCF
- Asp.Net Web API 2第十六课——Parameter Binding in ASP.NET Web API(参数绑定)
- SQLServer · 最佳实践 · 开发基于.NET CORE的LINUX版本的数据库应用
- ASP.NET Web API 2 入门教程
- WCF 无法激活服务,因为它不支持 ASP.NET 兼容性。已为此应用程序启用了 ASP.NET 兼容性
- 通过极简模拟框架让你了解ASP.NET Core MVC框架的设计与实现[中篇]:请求的响应
- ASP.NET Core的路由[5]:内联路由约束的检验
- ASP.NET Core 中的依赖注入 [共7篇]
- ASP.NET Core的配置(4):多样性的配置来源[上篇]
- se16 and include table entries into TR SAT trace - Gross time and Net time
- ASP.NET MVC - SQL 数据库
- VB.NET版机房收费系统---导出Excel表格
- 在asp.net mvc中使用PartialView返回部分HTML段
- ASP.NET中的WebService(转)
- Korzh EasyQuery .Net for ASP.Net 7.2.X Crack
- net core HTTP Error 500.31 - Failed to load ASP.NET Core runtime HTTP Error 500.30
- [ASP.NET]谈谈REST与ASP.NET Web API
- .NET面试题及答案详解
- 关于ASP.net开启身份验证时集成的托管管道模式下不适用的 ASP.NET 设置