keyboard_arrow_up

Forms Authentication in ASP.NET

Forms Authentication in ASP.NET



CRB Tech reviews on using form authentication in web API


ASP.NET developers commonly use forms authentication to fix their web pages. Like ASP.NET web forms and ASP.NET MVC applications, Web API also can take advantage of forms authentication to execute authentication and security in asp.net.


In this post, we would explain how forms authentication is used in Web API being consumed in an MVC application.


The overall process of executing forms authentication remains the same in case of Web API too. However, there are a few points that you need to keep in mind:


Web API doesn’t log-in or log-out a user by itself. This matter is taken care by the underlying web application – whether it is web forms application or MVC application.


Generally, a user logs into the application using some web form or a view created to serve the purpose and then proceeds to call a Web API.


The Web API action methods can find the authentication status of a user, his membership information and also his role information.


If an unauthenticated user tries to access a Web API that needs authentication you basically get “undefined” error in the browser


Configure SQL Server


Membership features of ASP.NET require certain database tables and stored procedures. To configure SQL server database for enabling application services (membership, roles, profiles) you use aspnet_regsql.exe command line tool. You can also let ASP.NET configure and create a new LocalDb database for you if you don’t want to use an existing database.


Configure Web API project to use forms authentication


Let’s create a new ASP.NET MVC 4 project and choose Web API as its project template. Then open its web.config file and add the following markup to it:

<authentication mode=”Forms”>
<forms loginUrl=”~/home/login” defaultUrl=”~/home/index” ></forms>
</authentication>



The <authentication> section sets the mode of authentication and in this case, it is set to Forms. The <forms> tag configures the loginUrl and defaultUrl attributes to ~/home/login and ~/home/index respectively. The loginUrl feature indicates URL of the login page whereas defaultUrl feature indicates URL of the default page.



If you haven’t configured a database to reserve membership information and don’t want to use an existing database, select PROJECT > ASP.NET Configuration to unlock Website Administration Tool.



Click on the security tab of the tool and create two roles – Administrator and Operator. Then design two users – user1 and user2 – and associate them with Administrator and Operator roles respectively.



This will connect a new LocalDb database to the App_Data folder and will also add membership, roles and profile providers in the web.config as given below:



<membership defaultProvider=”DefaultMembershipProvider”>
<providers>
<add name=”DefaultMembershipProvider”
type=”System.Web.Providers.DefaultMembershipProvider,… />
</providers>
</membership>

<roleManager enabled=”true” defaultProvider=”DefaultRoleProvider”>
<providers>
<add name=”DefaultRoleProvider”
type=”System.Web.Providers.DefaultRoleProvider… />
</providers>
</roleManager>

<profile defaultProvider=”DefaultProfileProvider”>
<providers>
<add name=”DefaultProfileProvider”
type=”System.Web.Providers.DefaultProfileProvider… />
</providers>
</profile>



As you can see the membership, roles and profile givers are being picked from System.Web.Providers namespace.



Login and Logout views



As we designed users via WAT tool as said in the above section there is no need to design a registration page. You can directly develop Login and Logout actions and views. To achieve that you need to open the HomeController from the controllers folder and add the following actions to it:



public ActionResult Login()
{
return View();
}

[HttpPost]
public ActionResult Login(string userid,string password)
{
if (Membership.ValidateUser(userid, password))
{
FormsAuthentication.SetAuthCookie(userid, false);
Response.Redirect(FormsAuthentication.DefaultUrl);
}
return View();
}

public ActionResult Logout()
{
return View();
}

[HttpPost]
public ActionResult DoLogout()
{
FormsAuthentication.SignOut();
Response.Redirect(FormsAuthentication.LoginUrl);
return View();
}



The Login(), Logout() and DoLogout() methods are easy to comprehend. The second version of Logn() method accepts user ID and password parameters. Inside, it uses ValidateUser() method of



Membership class to check whether a user has supplied valid credentials. If so, a cookie for forms authentication is set using SetAuthCookie() of FormsAuthentication class. The user is then directed to default page (/home/index in this case).



The DoLogout() method deletes the forms authentication cookie using Signout() method of FormsAuthentication class and takes the user to the login page (/home/login in this case).



If you are considering to take ASP.Net training then our CRB Tech ASP.Net Training center could be very helpful in fulfilling your aspirations.



Stay connected to our page of CRB Tech reviews for more technical optimization and other resources.



Most Related Articles :

Top 5 Reasons That Make ASP.NET More Secure Over PHP

ASP.NET LIFE CYCLE IN DEPTH