I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Forms Authentication, but how does forms authentication work in the background?

With the help of a good article, this is how I understand the process (assuming that the user's browser has cookies enabled)...
  1. User tries to access restricted page.
  2. Server looks for ASPXAuth cookie in the request but does not find it.
  1. Server redirects user to Login page as configured in web.config.
  1. User enters username and password and posts to the server.
  2. Server authenticates username and password against store. If valid...
  3. Server sets the Forms Authentication Ticket.
  1. The ticket contains (among other things) the userName, IsPersistent and the ExpirationDate.
  2. The ticket is encrypted and signed using keys from the <machineKey> configuration element (either from web.config or from machine.config)
  3. The ticket is stored in a cookie called ASPXAuth, or in the user's URL.
  1. Server redirects user back to the referring URL.
  2. User's browser requests original restricted page again. This time with the ASPXAuth cookie in the request.
  3. Server looks for ASPXAuth cookie and finds it.
  4. Server decrypts Forms Authentication Ticket  found in the cookie.
  5. Server checks expiration on ticket. If this is still valid...
  6. Server now knows that the user is authenticated and knows the UserName. From here authorization can take place (i.e. code can call the database and find out if the user has access to specific features on the page)
That seems to make sense. The interesting thing about this process is that Session State is not involved at all.
 
 

最新文章

  1. Linux Cmd Tool 系列之—script &amp; scriptreplay
  2. PHP代码重用与函数编写
  3. xamarin.forms 版本自动更新(针对android)
  4. 【hdu2795】Billboard
  5. Linux进程管理工具——supervisor
  6. hdu 3466 排序01背包
  7. linux内核中jiffies的回绕问题【转】
  8. CSS属性前的 -webkit, -moz,-ms,-o
  9. Golang的iota的特性
  10. Arduino &quot;Card failed, or not present&quot;(即找不到SD卡)错误解决方案
  11. Cocos2d-x 3.0 动作
  12. 有7g和2g的砝码各一个,怎样称可以3次把140g东西分为50g和90g???????
  13. 查看IIS进程id
  14. Spring MVC遭遇checkbox的问题解决方式
  15. eclipse设置统一编码
  16. 笔记︱决策树族——梯度提升树(GBDT)
  17. Ext JS中的typeOf
  18. Android高版本联网失败报错:Cleartext HTTP traffic to xxx not permitted解决方法
  19. net core EF 链接mysql 数据库
  20. SOUI taobao SVN目录结构说明

热门文章

  1. 一次MySQL两千万数据大表的优化过程,三种解决方案
  2. js 获取当前月份 第一天和最后一天
  3. Python(os和sys)理解
  4. Idea java 程序打jar包(maven)
  5. 像@Transactional一样利用注解自定义aop切片
  6. kubernetes如何访问pod服务
  7. maven学习之路三
  8. 架构师成长之路5.4-Saltstack配置管理(LAMP架构案例)
  9. 安装tidb数据库
  10. shell_hive