How does ASP.NET Forms Authentication really work?
2024-08-31 14:49:36
I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Forms Authentication, but how does forms authentication work in the background?
With the help of a good article, this is how I understand the process (assuming that the user's browser has cookies enabled)...
- User tries to access restricted page.
- Server looks for ASPXAuth cookie in the request but does not find it.
- Server redirects user to Login page as configured in web.config.
- User enters username and password and posts to the server.
- Server authenticates username and password against store. If valid...
- Server sets the Forms Authentication Ticket.
- The ticket contains (among other things) the userName, IsPersistent and the ExpirationDate.
- The ticket is encrypted and signed using keys from the <machineKey> configuration element (either from web.config or from machine.config)
- The ticket is stored in a cookie called ASPXAuth, or in the user's URL.
- Server redirects user back to the referring URL.
- User's browser requests original restricted page again. This time with the ASPXAuth cookie in the request.
- Server looks for ASPXAuth cookie and finds it.
- Server decrypts Forms Authentication Ticket found in the cookie.
- Server checks expiration on ticket. If this is still valid...
- Server now knows that the user is authenticated and knows the UserName. From here authorization can take place (i.e. code can call the database and find out if the user has access to specific features on the page)
That seems to make sense. The interesting thing about this process is that Session State is not involved at all.
最新文章
- Linux Cmd Tool 系列之—script &; scriptreplay
- PHP代码重用与函数编写
- xamarin.forms 版本自动更新(针对android)
- 【hdu2795】Billboard
- Linux进程管理工具——supervisor
- hdu 3466 排序01背包
- linux内核中jiffies的回绕问题【转】
- CSS属性前的 -webkit, -moz,-ms,-o
- Golang的iota的特性
- Arduino ";Card failed, or not present";(即找不到SD卡)错误解决方案
- Cocos2d-x 3.0 动作
- 有7g和2g的砝码各一个,怎样称可以3次把140g东西分为50g和90g???????
- 查看IIS进程id
- Spring MVC遭遇checkbox的问题解决方式
- eclipse设置统一编码
- 笔记︱决策树族——梯度提升树(GBDT)
- Ext JS中的typeOf
- Android高版本联网失败报错:Cleartext HTTP traffic to xxx not permitted解决方法
- net core EF 链接mysql 数据库
- SOUI taobao SVN目录结构说明