Forms authentication in ASP.NET 2.0

Question

Hi,

I am using Forms authentication in one of my web application. Following are the code i am using in

a. Web.config

forms loginurl="***" defaulturl="***"

b. Login.aspx

OnAuthenticate(object sender, AuthenticateEventArgs e)
{
  e. Authenticated = validateuser(Login1.UserName, Login1.Password)
  if (e.Authenticated =true)
  {
   // fetch roles
  }
}

c. Global.asax

Application_OnPostAuthenticateRequest()
{
  if (user.Authenticated && Authenticationtype="form")
  {
   // Fetch roles and user data and save in httpcontext
  }
}

I don't know i am right or not. I have doubt in Login.aspx page and Global.asax page

I am not using SSL because its paid digital certificate. So how can i make data safe transfer and should i use authentication cookies as a file or as a url? how can i find cookie file at client and at server PC?

Is there any link from which i get best way to use form authentication?

Answer 1

You know there's a role provider as well? Is there any reason why you can't use that instead of rolling your own? The built in one provides support for role based authentication on files and classes and methods.

You can't make forms submission safe without SSL, there's simply no other way to do it. The built in bits used a signed cookie, and you can enable encryption on the cookie as well should you wish to. If you use the built in bits you don't need to go looking for the cookie, it's taken care of by ASP.NET, and it's protected from client side script access to limit the possibility of Cross Site scripting attacks.

Answer 2

i am not getting what exactly you want to do in your code.. but here is the complete explaination for the same.

Here are some of the best links.. It may useful for you..

http://msdn.microsoft.com/en-us/library/aa480476.aspx

http://www.codeproject.com/KB/aspnet/custom_authentication.aspx