The configuration of form authentication resides in web.config file which has the following configuration-file fragment with the assigned values.
Properties described below
This method add a cookie or persistent cookie to the browser with an expire time set in "
Happy coding…
<authentication mode="Forms"> <forms loginUrl="LogIn.aspx" protection="All" timeout="1" name=".USERLOGINAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx" cookieless="UseDeviceProfile"/> </authentication>
Properties described below
Property | Description | Default Value |
loginUrl | P oints to your application's custom logon page. | |
protection | Gets or sets the encryption type used to encrypt the cookie. This causes the cookie to be encrypted using the algorithm specified on the machineKey element, and to be signed using the hashing algorithm that is also specified on the machineKey element. | All |
timeout | Used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie. | 30 |
name | Gets or sets the cookie name. | .ASPXAUTH |
path | Gets or sets the cookie path. | / |
requireSSL | Gets or sets a value indicating whether a Secure Sockets Layer (SSL) connection is required when transmitting authentication information. If you are concerned about session hijacking, you should consider setting requireSSL to true . | false |
slidingExpiration | When the SlidingExpiration is set to true, the time interval during which the authentication cookie is valid is reset to the expiration Timeout property value. This happens if the user browses after half of the timeout has expired. For example, if you set an expiration of 20 minutes by using sliding expiration, a user can visit the site at 2:00 PM and receive a cookie that is set to expire at 2:20 PM. The expiration is only updated if the user visits the site after 2:10 PM. If the user visits the site at 2:09 PM, the cookie is not updated because half of the expiration time has not passed. If the user then waits 12 minutes, visiting the site at 2:21 PM, the cookie will be expired. | true |
defaultUrl | The URL to which to redirect the request after authentication. | default.aspx |
cookieless | The Cookieless property defines whether forms-based authentication should use a cookie to exchange user information. | UseDeviceProfile |
Create authentication ticket while login
Below code is used in login page or control on the click of login button. This function validates the login of the user and then add a permanent form authentication ticket to the browser.FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, Username, DateTime.Now, DateTime.MaxValue, true, Password, FormsAuthentication.FormsCookiePath); // Encrypt the cookie using the machine key for secure transport string encUserAuthTicket = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encUserAuthTicket); // Hashed ticket // Set the cookie's expiration time to the tickets expiration time if (ticket.IsPersistent) cookie.Expires = ticket.Expiration; // Add the cookie to the list for outgoing response context.Response.Cookies.Add(cookie); FormsAuthentication.SetAuthCookie(Username, true);
FormsAuthentication.SetAuthCookie
This method creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, or to the URL if you are using cookieless authentication. The first overload of this function has two parameters:userName
: The name of the authenticated usercreatePersisntentCookie
:True
to create a persistent cookie (one that is saved across browser sessions); otherwise,false
.
This method add a cookie or persistent cookie to the browser with an expire time set in "
timeOut
" parameter with the name and path set in "name
" and "path
" parameter. The user will be automatically logged out once the cookie is expired. So the user login session depends on the expire of forms authentication ticket saved in browser cookie. Here, I will create a permanent user login session using this technique. Happy coding…