Home / Software / Tips and Tricks / How To Implement Forms-Based Authentication in ASP.NET Application by Using C#.NET and SQL Server

How To Implement Forms-Based Authentication in ASP.NET Application by Using C#.NET and SQL Server

Updated:  07/06/2010 14:07 PM
Author:  Shiju Mathews

Status:    Resolved.


Most Web sites need to selectively restrict access to certain areas within a web site. Obviously certain areas/pages will allow the public to come in and browse, however areas that contain more sensitive information. There are three types of authentication in ASP.NET: forms authentication, windows authentication, and Passport authentication.

Windows Authentication - This is provided so that web pages can make use of the local Windows User and Groups.

Passport Authentication - This is Microsoft's initiative for a single authentication point. It is used for such things as Hotmail, MSN and Devhood. Find out more at www.passport.com

Forms Authentication - This is a cookie based authentication system where the username and passport is stored in a text file or a database.

Forms Authentication in ASP.NET is handled by a special FormsAuthentication class. This class contains a number of static (or shared) methods that allow you to identify users via a login form. You can easily configure your ASP.NET application to use Forms Authentication by simply specifying a location (URL) for your login form - ASP.NET does most of the work from there! When an unauthenticated user visits a restricted page on your Web site they will be automatically directed to the specified login form. Once they successfully log on, you can optionally issue an authentication cookie to prevent authenticated users from having to log in time and time again.

There are two very important features of a Security System that we should formally defined.

Authentication - Authentication is the means by which you obtain the Identity of the User by validating their credentials against a known Authority, ie: Active Directory, Database Store, Microsoft Passport Account etc. If the credentials can't be validated then the Authentication process fails and the User will assume the Identity of IUSR_Anonymous. Remember that the Web is anonymous by nature, so they only way to determine who a particular visitor is to authenticate them by having them provide user credentials (a username/password, usually).

Authorization - Authorization occurs after Authentication and involves using information obtained during the Authentication process to determine whether to grant or deny access to a given resource based on that Users role in the Application. That is, if you are trying to access a Web page that only a particular user can access, the first step performed is to authenticate you - who is this guy making the request? - and then, based on that authentication, you must be authorized to view the particular data you are requesting. Usually different users are assigned for different function in a web site.

Modify system.web in the web.config as follows

The location tag has one attribute, path, which is the path to apply a different set of security rules to. Inside the location tag, we have the system.web tag once again.

As soon as the user tries to access any page, user is redirected to login.aspx, where he needs to enter a username and password and need to submit the data. In the server the submit button click event handler verifies the password and user name against the data base and authenticate the user as follows.


Here ‘VaidateUser’ is a custom function that validate the credentials against the database.