by Administrator
15. May 2009 07:25
With Forms-based security, you can verify the identity of a user by displaying a login form
that prompts the user for an ID and a password. After the user has been authenticated, the
various Web forms that make up the application can be accessed, and the user’s security
credentials can be examined by the code running in any page if additional authorization is
needed. (A user might be able to log in to the system but might not have access to every
part of the application.)
To use ASP.NET Forms-based security, you must configure the Web application by making
some changes to the web.config file, and you must also supply a login form to validate the
user. This login form will be displayed whenever the user tries to gain access to any page in
the application if the user has not already been validated. The user will be able to proceed to
the requested page only if the logic in the login form successfully verifies the user’s identity.
Important To the uninitiated, it might seem that ASP.NET Forms-based security is excessive. It’s
not. Don’t be tempted to simply create a login form that acts as an entry point to your
application and assume that users will always access your application through it. Browsers can
cache forms and URLs locally on users’ computers. Another user might be able to gain access to
the browser cache depending on how the computer itself is configured, find the URLs of the
sensitive parts of your application, and navigate directly to them, bypassing your login form. You
have control over your Web server (hopefully), but you have almost no control over the user’s
computer. The ASP.NET Forms-based mechanism is robust, and assuming that your Web server is
well protected, it should be adequate for most of your applications.
ddf09430-5317-45f7-afd0-d02cbdbc783c|0|.0
Tags: asp.net