ASP.NET

Conclusion : Security Model

In this tutorial we saw the ASP.NET security model. While IIS does have its own security model, leveraging it for Web site security often amounts to giving users to your site a Windows user identity. Perhaps that's okay for a small confined Web site. However, for a site that will be available to potentially the entire globe, that's not such a good thing.

If you decide to let ASP.NET handle authentication, then you have more control over how the authentication happens while at the same time leaving your set of Windows user identities unadulterated. To let a request get past IIS, allow anonymous access to your virtual directory.

Once a request gets past IIS, it's up to ASP.NET to figure out who the user is and how to dole out access. ASP.NET includes an authentication model named Forms Authentication. You turn on Forms Authentication through the Web.Config file. Either use the typing Wizard (that is, type the <authentication > element by hand, or use the Web Site Administration tool (or the IIS ASP.NET tab) to turn on Forms Authentication.

The Web Site Administration tool is useful for adding users, adding roles, and assigning users to roles. It's the most convenient way to manage users and roles. (If you want to, you may set up your own authentication scheme and database, bypassing the ASP.NET support.)

By using ASP.NET Authentication and Authorization support, the Login controls work automatically. The Login controls supply login functionality for the majority of use cases. (As always, you may bypass the support for an authentication and authorization scheme of your own choosing.)

Tutorial 10 Quick Reference

How to use Forms Authentication in your application

  1. Use the ASP.NET Web Site Administration tool (select Web site | ASP.NET Configuration)

  2. Use the ASP.NET tab in IIS


How to configure the security aspects of your Web site

  1. Use the ASP.NET Web Site Administration tool (select Web site | ASP.NET Configuration)

  2. Use the ASP.NET tab in IIS


How to authenticate a request by hand

Use the FormsAuthentication class's Set Auth cookie


How to invalidate an authentication cookie

Call the FormsAuthentication class's SignOff method


How to view the authentication cookie

Turn on tracing