Forms authentication without a (visible) form

 

A user can browse your web-pages anonymous or as an authenticated user. This is set in the web.config of your site.

<authorization>
   <allow users="*" /> <!-- Allow all users -->
</authorization>

By default every user can browse any page. If you want to know who is requesting, deny the access to unknown users

<authorization>
  <deny users="?"/>
</authorization>

Now every user has to be authenticated to view a page. You set authentication on a page basis by adding sections to the web.config

<location path="AuthRequired.aspx">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</location>

Take a look at the asp.net forums app to get an idea how to use that. In a forum everybody can browse and read the posts but you have to be authenticated to (react on a) post.

ASP.NET has several ways of authentication built in: Windows integrated, Passport and forms. Using forms authentication the user is forced to a login page before visiting a page. This login page is also set from the web.config file

<authentication mode="Forms">
  <forms name=".MyAuthCookieName"
      loginUrl="AuthenticateHere.aspx"
      protection="All"
      timeout="30" />
</authentication>

On the login page the user enters a username and password which is supposed to be validated against the one or the other. When approved the code will set an authorization cookie. With this cookie the user can visit all pages shielded off without having to log in again and again. When the code issues a persistent cookie the login will persist over sessions. (Remember me).

But nothing forces you to pop up a form. Asp.Net doesn't care as long as the cookie is set. You could do this for instance

private void AuthenticateHere_Init(object sender, System.EventArgs e)
{
   if (isValidAddress(Context.Request.UserHostAddress))
   {
      System.Web.Security.FormsAuthentication.SetAuthCookie(Context.Request.UserHostAddress, false);
      string redirectUrl = Page.Request.QueryString["ReturnUrl"];
      if (redirectUrl != null)
      {
         Page.Response.Redirect(redirectUrl);
         Page.Response.End();
      }
   }
}

Right in the start of the pages lifecycle, in the init event of the page the cookie is set. Why the user deserves an authentication cookie is up to you, here I use a custom method IsValidAdress. After setting the cookie the response is ended and the app is redirected to the page requesting the authentication. FormsAuthentication passes the url in the querystring. In the browser toolbar you will see the Authenticate page being hit, on a succefull authentication the visual page itself jumps directly to the page requested in the querystring.

The nice thing about forms authentication that it is completely set from the web.config. This way you can hook your own authentication into an existing app. Like asp.net forums.

Peter