This is typically accomplished by placing the authentication ticket in the user's cookies collection. The authentication ticket is included in subsequent requests to the pages on the website, which the FormsAuthenticationModule uses to identify the user.įigure 1: The Forms Authentication Workflow Remembering the Authentication Ticket Across Page VisitsĪfter logging in, the forms authentication ticket must be sent back to the web server on each request so that the user remains logged in as they browse the site. The login page's responsibility is to determine if the user's credentials are valid and, if so, to create a forms authentication ticket and redirect the user back to the page they were attempting to visit. With forms authentication, however, the HTTP 401 Unauthorized status is never sent to the browser because the FormsAuthenticationModule detects this status and modifies it to redirect the user to the login page instead (via an HTTP 302 Redirect status). This status code causes the browser to prompt the user for their credentials via a modal dialog box. In Windows authentication scenarios, the HTTP 401 status is returned to the browser. If the user making the request is not authorized to access the requested resource, the authorization module terminates the request and returns an HTTP 401 Unauthorized status. The FormsAuthenticationModule attempts to authenticate the user prior to the UrlAuthorizationModule (and FileAuthorizationModule) executing. ASP.NET also includes the FileAuthorizationModule that determines authority by consulting the requested file(s) ACLs. This module determines the authority by consulting the authorization rules specified in the application's configuration files. UrlAuthorizationModule – determines whether or not the current user is authorized to access the requested URL. ![]() If no forms authentication ticket is present, the user is anonymous.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |