Forms Authentication in ASP.NET
CRB Tech reviews on using form authentication in web API
ASP.NET developers commonly use forms authentication to fix their web pages. Like ASP.NET web forms and ASP.NET MVC applications, Web API also can take advantage of forms authentication to execute authentication and security in asp.net.
In this post, we would explain how forms authentication is used in Web API being consumed in an MVC application.
The overall process of executing forms authentication remains the same in case of Web API too. However, there are a few points that you need to keep in mind:
Web API doesn’t log-in or log-out a user by itself. This matter is taken care by the underlying web application – whether it is web forms application or MVC application.
Generally, a user logs into the application using some web form or a view created to serve the purpose and then proceeds to call a Web API.
The Web API action methods can find the authentication status of a user, his membership information and also his role information.
If an unauthenticated user tries to access a Web API that needs authentication you basically get “undefined” error in the browser
Configure SQL Server
Membership features of ASP.NET require certain database tables and stored procedures. To configure SQL server database for enabling application services (membership, roles, profiles) you use aspnet_regsql.exe command line tool. You can also let ASP.NET configure and create a new LocalDb database for you if you don’t want to use an existing database.
Configure Web API project to use forms authentication
Let’s create a new ASP.NET MVC 4 project and choose Web API as its project template. Then open its web.config file and add the following markup to it:
The <authentication> section sets the mode of authentication and in this case, it is set to Forms. The <forms> tag configures the loginUrl and defaultUrl attributes to ~/home/login and ~/home/index respectively. The loginUrl feature indicates URL of the login page whereas defaultUrl feature indicates URL of the default page.
If you haven’t configured a database to reserve membership information and don’t want to use an existing database, select PROJECT > ASP.NET Configuration to unlock Website Administration Tool.
Click on the security tab of the tool and create two roles – Administrator and Operator. Then design two users – user1 and user2 – and associate them with Administrator and Operator roles respectively.
This will connect a new LocalDb database to the App_Data folder and will also add membership, roles and profile providers in the web.config as given below:
As you can see the membership, roles and profile givers are being picked from System.Web.Providers namespace.
Login and Logout views
As we designed users via WAT tool as said in the above section there is no need to design a registration page. You can directly develop Login and Logout actions and views. To achieve that you need to open the HomeController from the controllers folder and add the following actions to it:
The Login(), Logout() and DoLogout() methods are easy to comprehend. The second version of Logn() method accepts user ID and password parameters. Inside, it uses ValidateUser() method of
Membership class to check whether a user has supplied valid credentials. If so, a cookie for forms authentication is set using SetAuthCookie() of FormsAuthentication class. The user is then directed to default page (/home/index in this case).
The DoLogout() method deletes the forms authentication cookie using Signout() method of FormsAuthentication class and takes the user to the login page (/home/login in this case).
If you are considering to take ASP.Net training then our CRB Tech ASP.Net Training center could be very helpful in fulfilling your aspirations.
Stay connected to our page of CRB Tech reviews for more technical optimization and other resources.
Most Related Articles :