In this post (which is the 100th one in the life of the blog), we’ll review three important security-related settings that you can define in your application’s web.config file, namely: authentication, authorization and impersonation. You’ll find a very thorough article about the topic here.
First a little terminology: authentication is the process of identifying, authorization is of checking rights. A common example: when you check-in to a plane, you show your ID, passport, etc. to identify yourself. Then you show your ticket for the given plane, to show that you are authorized to be there. It’s that simple. And impersonation is the process of taking someone else’s personality, which is a bad, bad thing. So long for terminology.
There are some a few authentication types in ASP.NET. Windows authentication uses the Kerberos protocol (or NTLM) to identify itself. Let’s consider it using with and without impersonation. You’d use Windows authentication with impersonation when:
There are four types of authentication in ASP.NET:
- Windows authentication
- Forms authentication (used by the membership API)
- Passport authentication (mostly obsolete, consider Windows Live instead)
- Anonymous access
Forms Authentication is a token-based auth method. After login, the user gets an encrypted cookie with the login information. This token can also be stored in the query string, but more of it later. The process is simple:
- The client makes a request.
- IIS (if configured properly for Forms Authentication) passes the request to ASP.NET.
- ASP.NET checks for an authentication cookie (or info). If found it, proceeds to step 7.
- Redirects the user to the login page (default Login.aspx in machine.config).
- User enters credentials, ASP.NET authenticated. If authentication fails, access will be denied.
- If authentication succeeds, a cookie will be attached.
- ASP.NET tests the authorization settings and the current user.
- If fails, access will be denied, else access granted.
Pros to use Forms Authentication:
Full control over the appearance.
No browser-incompatibility issues.
Enables to decide where and how to store user information.
- Full control over the authentication code, via Membership API.