security tutorial security tutorial - contributed by Nihal Singh

.NET Tutorial > Security



It is the process that determines the identity of a user. Whenever a user logs on to an application, the user is first authenticated and then authorized. It is the process by which the system validates a user's logon information.


Authorization determines whether a particular user should be granted access to a specific resource or not. In another word you can say it is a process of granting approval or permission on resources.

The ASP.NET Framework supports following types of authentication:

  • Windows Authentication
  • NET Passport Authentication
  • Forms Authentication
  • None

You can use these different authentication modes by applying the settings to the application’s web.config file or in conjunction with the application server’s Internet Information Services (IIS) instance. A web.config file is another XML-based configuration file that resides in the root directory of the Web application. The settings applied in the web.config file override the same settings applied in the higher-level machine.config file. These XML-based files enable you to easily change how ASP.NET behaves.

The <authentication> Node in web.config file

You can enable a particular type of authentication for an application in an application’s root web configuration file.


                        <authentication mode=”Forms” />


Windows It is the default authentication mode in ASP.NET. Windows authentication is used together with IIS authentication. It can be is performed by IIS in the following ways: • Basic • Digest • Integrated Windows Authentication
Forms The user provides his login information and submits the form. If the information is correct then, the system issues a form that contains the credentials or a key for getting the identit
Passport A centralized authentication service provided by Microsoft that offers single login and core profile services for member sites. MSN and Hotmail uses the passport authentication.
None No authentication mode is applied.

Windows Authentication

Windows authentication is useful in an intranet environment (Within the organization). In a Windows-based authentication model, the requests go directly to IIS to provide the authentication process.

Allowing a single user through the web.config file

            <authentication mode="Windows" />
                        <allow users="CrrerRide"/>
                        <deny users="*"/>

In the above given example only user name “CrrerRide” will allow to use the resource and all other user users will deny to access.

The <allow> and <deny> nodes supports the following attributes.

Users You can specify users by their domain and/or name.
Roles Provides the role for groups that are allowed or denied access.
Verbs It is the HTTP transmission method that is allowed or denied access.

Forms-Based Authentication

Forms-based authentication authenticates the user who wants to access an entire application or specific resources within an application. It is based on cookies where the user name and the password are stored either in a text file or the database. After a user is authenticated, the user’s credentials are stored in a cookie for use in that session.


Using forms-based authentication in your Web application is easy and simple the first step is to modify the web.config file in your application as given below.

Step 1:

                        <authentication mode=”Forms”>
                                                <credentials passwordFormat=”Clear”>
                                                            user name=”Career” password=”Ride” />
                                    <deny users="?" />

The web configuration file contains a forms element that contains a credentials element. The credentials element includes a usernames and passwords. The question mark (?) symbol represents the all anonymous users.

Step 2:

Create an page name Login.aspx

Login.aspx has two simple TextBox controls and a Button control named as txtUserName, txtPassword and btnLogin respectively. When you click the Login button, the btnLogin_Click () method executes, and the FormsAuthentication. Authenticate () method checks whether the username and password entered into the TextBox controls match a username and password in the web configuration file. If the user successfully authenticates, the FormsAuthentication. RedirectFromLoginPage () method is called.


protected void btnLogin_Click (object sender, EventArgs e)
if (FormsAuthentication.Authenticate(txtUserName.Text,txtPassword.Text))
FormsAuthentication.RedirectFromLoginPage (txtUserName. Text, true);
lblError.Text = “User name or password is wrong”;

Passport Authentication

It is a centralize service provided by Microsoft. Passport Authentication allows users to create a single registration and get the user name and password to access any site that has implemented the Passport Authentication service. MSN and Hotmail uses the passport authentication. If you have done registration in MSN then you can access Hotmail with same user name and password without registration in Hotmail.

Implementation of .NET Passport Authentication Service

  • Download the Microsoft .NET Passport SDK from the Microsoft Site.
  • Register your application in .NET Service Manager.
  • Get the SiteID and Application key after registering your application with .NET Services Manager.

Enable Passport Authentication in Web.Config

                        <authentication mode="Passport">
                        <passport redirectUrl="login.aspx" />
            < authorization>
                        < deny users="?" />

Write your comment - Share Knowledge and Experience

Latest MCQs
» General awareness - Banking » ASP.NET » PL/SQL » Mechanical Engineering
» IAS Prelims GS » Java » Programming Language » Electrical Engineering
» English » C++ » Software Engineering » Electronic Engineering
» Quantitative Aptitude » Oracle » English » Finance
Home | About us | Sitemap | Contact us | We are hiring