The agenda for today's session was "Forms Authentication". This is in deviation to what was originally planned, but we would like to take things on
priority basis.
The following points will be covered
- What is forms based authentication?
- Relationship between authentication and url authorization module.
- Architecting a custom authentication solution.
Summary
We covered how authentication and authorization works in asp.net. The authentication is handled by the FormsAuthenticationModule and the authorization is handled by the UrlAuthorizationModule. The FAM handles the AuthenticateRequest and EndRequest event. The UrlAuthorizationModule handles the AuthorizeRequestEvent.
The following are the activities that FAM does
- It checks if the request is for login.aspx page
- If yes it sets the SkipAuthorization property to true
- If no it creates the FAC cookie and sets the Principal object
- If does some other activities like extending the ticket timeout value etc.
- The EndRequest checks if the responsecode is 401 and do a redirect to login.aspx if it is else continue serving the request.
The UrlAuthorizationModule essentially checks for incoming URL and verifies if it has access to the resource or not. It checks the authorization element from the configuration and sets the ResponseCode to 0x191, decimal 401 [unauthorized access] if the request does not have access to the requested resource.
Lessons learned:
The following are the lessons learned and could be applied whenever a custom authentication httpmodule is to be developed.
- Handle AuthorizeRequest event to create cookies.
- If you use session as part of authentication, then do session related activities in the AcquireRequestState event.
- If you need to include authorization then follow the standard approach i.e. handle the Authorize event or implement authorization based on the authorization configuration
Enjoy learning