I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Forms Authentication, but how does forms authentication work in the background?
With the help of a good article, this is how I understand the process (assuming that the user's browser has cookies enabled)...
- User tries to access restricted page.
- Server looks for ASPXAuth cookie in the request but does not find it.
- Server redirects user to Login page as configured in web.config.
- User enters username and password and posts to the server.
- Server authenticates username and password against store. If valid...
- Server sets the Forms Authentication Ticket.
- The ticket contains (among other things) the userName, IsPersistent and the ExpirationDate.
- The ticket is encrypted and signed using keys from the <machineKey> configuration element (either from web.config or from machine.config)
- The ticket is stored in a cookie called ASPXAuth, or in the user's URL.
- Server redirects user back to the referring URL.
- User's browser requests original restricted page again. This time with the ASPXAuth cookie in the request.
- Server looks for ASPXAuth cookie and finds it.
- Server decrypts Forms Authentication Ticket found in the cookie.
- Server checks expiration on ticket. If this is still valid...
- Server now knows that the user is authenticated and knows the UserName. From here authorization can take place (i.e. code can call the database and find out if the user has access to specific features on the page)
That seems to make sense. The interesting thing about this process is that Session State is not involved at all.