Introduction
This tip explains how forms authentication works through cookies using Microsoft ASP.NET framework.
Using the Code
ASP.NET framework maintains user authentication directly through cookies so that we don’t have to worry about coding that piece into our web application.
Once a user is successfully authenticated through a membership provider, ASP.NET framework provides the Membership
class to fetch information related to that user. For instance, in any page, calling the Membership.GetUser()
would yield the logged in user object. But server is stateless. So how can ASP.NET framework maintain the client identity. For that, ASP.NET framework uses the .ASPXAUTH
cookie.
When the client enters his credentials and submits the login page, the request goes to the server which authenticates the client through a membership provider. Upon successful authentication, ASP.NET framework creates the membership user and sends the encrypted .ASPXAUTH
cookie along with the response. The timeout of that cookie is the same as the session timeout. This cookie is not deleted if the client browser is closed. As a result, the browser adds this cookie in all the subsequent requests irrespective of whether the browser was closed or not as long as the cookie is active. The server would read this cookie from the request and identify the user as authenticated by setting the below variable to true
.
Request.IsAuthenticated
That is why in ASP.NET applications, after login, even if the browser is closed, reopening the browser and directing to a secure page would not ask you for your password because the .ASPXAUTH
cookie would still exist in the request as long as the session does not timeout.
Once the cookie expires, the next request from the client would not contain that cookie. As a result, server will treat it as a new request thereby setting Request.IsAuthenticated
to false
. The Membership.GetUser()
would be null
and the request would return the login page in response, even though the request was made to a secure page. Again, the client would enter credentials and submit the login page and upon authentication, a new .ASPXAUTH
cookie would be generated and sent with the response. However, there can be a possibility where the request is authenticated, i.e., the cookie was sent, but the user in Membership
is not there because the session already expired. To handle that, we would need to add the following method in global.asax.
protected void Application_AuthenticateRequest(object sender,EventArgs e)
{
if (Request.IsAuthenticated && Membership.GetUser() == null)
{
if (HttpContext.Current != null &&HttpContext.Current.Session != null)
{
HttpContext.Current.Session.Abandon();
}
Response.Cookies.Clear();
FormsAuthentication.SignOut();
Response.Redirect(Constants.Pages.Login);
}
}