ASP.NET Login to a Website with Forms Authentication vs None

Question

Hi folks,

I've got a stock standard ASP.NET website. Anyone can read/view any page (except the admin section) but when someone wants to contribute, they need to be logged in. Just like most contribution sites out there.

So, if i have my OWN login control or username/password/submit input fields, why would i want to have forms auth turned on instead of just none? what does forms auth give me, which having my own code that check my database for a user/pass and my own two input fields + a submit button, does the job perfectly?

(NOTE: i really dislike the asp.net membership stuff that creates all those tables and usp's in the database, so please don't suggest I use that).

Like, with my code, when i authenticate a user (with my own database code), i manually create my own identity, etc.

is all this required? what is the main purpose of this?

cheers!

Answer 1

You can authorize your users how ever you want. FormAuthentication is used to set the session identity and the authentication cookie that allows users to stay logged in until they logout or the session expires. You don't need to use the membership providers to use FormsAuthentication. It sounds like you are just replicating this functionality.

...do your authentication against your DB or Active Directory

if (Request.QueryString["ReturnUrl"] != null)
{
    FormsAuthentication.RedirectFromLoginPage(userName.Text, false);
}
else
{
    FormsAuthentication.SetAuthCookie(userName.Text, false);
}

Then you need to set up to use it in the web.config

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name="my-auth-cookie" 
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="default.aspx" />
  </authentication>
</system.web>

You get all the benefits of doing your own authorization and not having to implement the cookie infrastructure. Note, since your web site only needs to authorize when editing, you'll need to set the permissions that allow everyone to read all pages and implement your own logic to redirect them to the login page when they want to edit.

More information here.

Answer 2

Please note that you can leverage the ASP.Net forms authentication and implement your own membership provider which would read/write to your existing tables.

Answer 3

I also started with the default forms authentication that comes out of the box with an ASP.NET web project. However I too was very dismayed by the overbuilt features of the tables in that stock database.

In my work experience I have used custom built authentication and just carried the logged in users profile (self created) in a session variable.

The asp.net membership can be difficult to port to some shared hosting providers also.