interview

home / developersection / interviews / what is forms authentication in asp.net and how does it work?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

01-Jun-2025

Forms Authentication in ASP.NET is a way to authenticate users by having them log in through a web form. Instead of using Windows authentication, users enter their credentials on a login page. When they successfully log in, ASP.NET issues an authentication ticket, usually stored in a cookie, which identifies the user on subsequent requests.

How Forms Authentication Works:

  1. The user tries to access a page or resource that requires authentication.
  2. If the user is not authenticated, ASP.NET automatically redirects them to a configured login page.
  3. The user submits their username and password on the login page.
  4. The application validates the credentials (often by checking a database).
  5. If validation succeeds, ASP.NET creates an authentication ticket and places it in a cookie sent to the user's browser.
  6. For all future requests, the browser sends this cookie back to the server, and ASP.NET uses it to identify and authenticate the user.

Configuration example in web.config:

<authentication mode="Forms">
  <forms loginUrl="~/Login.aspx" timeout="30" />
</authentication>

<authorization>
  <deny users="?" />
</authorization>
  1. The loginUrl specifies the page where users enter their credentials.
  2. The <deny users="?"> means anonymous users (not logged in) are denied access to the protected resources.

Creating the authentication ticket in code:

if (Membership.ValidateUser(username, password))
{
    FormsAuthentication.SetAuthCookie(username, false);  // false = not persistent
    Response.Redirect(FormsAuthentication.GetRedirectUrl(username, false));
}
else
{
    // Handle invalid login
}

Logging out:

FormsAuthentication.SignOut();
Response.Redirect("~/Login.aspx");

Summary

  • Users log in through a form.
  • A cookie holds an encrypted ticket identifying the user.
  • ASP.NET uses this ticket to authenticate requests.
  • Works well for web apps requiring simple login functionality.
MindStick Training
MindStick Training

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy