System.Web 1.0.5000.0 2.0.0.0 Gtk# is thread aware, but not thread safe; See the <link location="node:gtk-sharp/programming/threads">Gtk# Thread Programming</link> for details. System.Object Forms authentication enables user and password validation for Web applications that do not require Windows authentication. With forms authentication, user information is stored in an external data source, such as a database, or in the configuration file for an application. Once a user is authenticated, forms authentication maintains an authentication ticket in a cookie or in the URL so that an authenticated user does not need to supply credentials with each request. Forms authentication is enabled by setting the mode attribute of the authentication configuration element to Forms. You can require that all requests to an application contain a valid user authentication ticket by using the authorization configuration element to deny the request of any unknown user, as shown in the following example. <system.web> <authentication mode="Forms"> <forms loginUrl="login.aspx" /> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> In the previous example, any request for an ASP.NET page that is part of the application requires a valid user name that is supplied by forms authentication. If no user name exists, then the request is redirected to the configured . The class provides access to methods and properties that you can use in an application that authenticates users. The method redirects a browser to the configured for users to log into an application. The method redirects an authenticated user back to the original protected URL that was requested or to the . There are also methods that enable you to manage forms-authentication tickets, if needed.

Manages forms-authentication services for Web applications. This class cannot be inherited.

Constructor This constructor is not intended to be used from your code.

Initializes a new instance of the class.

1.0.5000.0 2.0.0.0 Method System.Boolean The Authenticate method verifies user credentials that are stored in the credentials section of the application configuration file. Alternatively, you can use ASP.NET membership to store user credentials and call the to verify the credentials. For more information, see Managing Users By Using ASP.NET Membership. For improved security, you can encrypt passwords stored in the configuration file for an application by using the method.

Validates a user name and password against credentials stored in the configuration file for an application.

true if the user name and password are valid; otherwise, false. The user name. The password for the user. 1.0.5000.0 2.0.0.0 Property 2.0.0.0 System.String To be added. The property value is set in the configuration file for an ASP.NET application by using the domain attribute of the forms configuration element. The property value determines the that the cookie will be used for.

Gets the value of the domain of the forms-authentication cookie.

Property 2.0.0.0 System.Web.HttpCookieMode To be added. The property reflects the value for the cookieless attribute of the forms configuration element. The property determines whether the value will be stored in a session cookie in the browser or stored in the property. When the value is stored in the URI, the length of the generated URI may be longer than the maximum length allowed. This is most likely to occur when the property is set to the application name and the application name is long (40 or more characters), when user names in the application are long, or when long strings are stored in the value. If the generated URI is too long, the Web server will return a 400 - Bad Request error.

Gets a value that indicates whether the application is configured for cookieless forms authentication.

Property 2.0.0.0 System.Boolean To be added. The property returns a value based on the value and the capabilities of the browser. If the property is set to , the property will return true. If the property is set to , the property will return false. If the property is set to , the property will return true if the browser supports cookies and cookies are enabled; otherwise, the property will return false. If the property is set to , the property will return true if the for the current supports both cookies and redirecting with cookies; otherwise, the property will return false.

Gets a value that indicates whether the application is configured to support cookieless forms authentication.

Method System.Web.Security.FormsAuthenticationTicket To be added

Creates a object based on the encrypted forms-authentication ticket passed to the method.

A object. If the parameter is not a valid ticket, null is returned. The encrypted authentication ticket. 1.0.5000.0 2.0.0.0 Property 2.0.0.0 System.String To be added. The property value is set in the configuration file for an ASP.NET application by using the defaultUrl attribute of the forms configuration element. The property is used by the method if no return URL is included in the request. Similarly, the method will return the if no return URL is included in the request.

Gets the URL that the class will redirect to if no redirect URL is specified.

Property 2.0.0.0 System.Boolean To be added. The property value is set using the enableCrossAppRedirects attribute of the forms configuration element. The property is checked within the method when the redirect URL does not point to a page in the current application. If is true, then the redirect is performed; if is false, the browser is redirected to the page defined in the property. When you redirect pages across applications, you must make sure that specific attributes in the forms configuration element are duplicated across the authenticated applications. For more information and an example, see Forms Authentication Across Applications. When cross-application redirects are allowed, your site is vulnerable to an exploit that directs users to a malicious Web site but uses the login page for your site. Always verify that the redirect URL that is returned by the method is a URL that you expect so that you can make sure that you allow redirects only to approved Web sites. You must also verify that the redirect URL uses the appropriate protocol (HTTP or HTTPS). To perform these verifications, you can add a postback event handler to your login page, or you can add a handler for the event of the control.

Gets a value indicating whether authenticated users can be redirected to URLs in other Web applications.

Method System.String The actual method to encrypt the data depends on the setting in the "mode" attribute in the <authentication> section in the <system.web> section of the application configuration. The possible values are: Value Effect All Checksums and encrypts the ticket; Prevents tampering and visibility from the user None Encodes the tickets as a hex string, the ticket can be tampered and the content viewed by a client Encryption Encrypts the tickets, but does not checksum the results. Validation Appends a checksum to the sequence, to avoid a client tampering with the data. The default mode is "All".

Creates a string containing an encrypted forms-authentication ticket suitable for use in an HTTP cookie.

A string containing an encrypted forms-authentication ticket. The object with which to create the encrypted forms-authentication ticket. 1.0.5000.0 2.0.0.0 Property System.String To be added: an object of type 'string' The property value is set in the configuration file for an ASP.NET application by using the name attribute of the forms configuration element. The is used to reference the cookie that stores the information.

Gets the name of the cookie used to store the forms-authentication ticket.

1.0.5000.0 2.0.0.0 Property System.String To be added: an object of type 'string' The property value is set in the configuration file for an ASP.NET application using the path attribute of the forms configuration element. The specifies the for the cookie that stores the information.

Gets the path for the forms-authentication cookie.

1.0.5000.0 2.0.0.0 Method System.Web.HttpCookie The path of the cookie is determined by the property.

Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response, so that an application can have more control over how the cookie is issued.

An that contains encrypted forms-authentication ticket information. The default value for the property is used. The name of the authenticated user. true to create a durable cookie (one that is saved across browser sessions); otherwise, false. 1.0.5000.0 2.0.0.0 Method System.Web.HttpCookie To be added

Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response.

An that contains encrypted forms-authentication ticket information. The name of the authenticated user. true to create a durable cookie (one that is saved across browser sessions); otherwise, false. The of the authentication cookie. 1.0.5000.0 2.0.0.0 Method System.String You can use this method when you want to perform the redirect in your application code instead of using the method. The method returns the URL specified in the query string using the ReturnURL variable name. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the method returns the return URL caller.aspx. If the ReturnURL variable does not exist, the method returns the URL in the property. ASP.NET automatically adds the return URL when the browser is redirected to the login page. By default, the ReturnUrl variable must refer to a page within the current application. If ReturnUrl refers to a page in a different application or on a different server, the methods returns the URL in the property. If you want to allow the return URL to refer to a page outside the current application, you must set the property to true using the enableCrossAppRedirects attribute of the forms configuration element. Setting the property to true to allow cross-application redirects is a potential security threat. For more information, see the property.

Returns the redirect URL for the original request that caused the redirect to the login page.

A string that contains the redirect URL. The name of the authenticated user. This parameter is ignored. 1.0.5000.0 2.0.0.0 Method System.String The method creates a hashed password value that can be used when storing forms-authentication credentials in the configuration file for an application. Authentication credentials stored in the configuration file for an application are used by the method to verify passwords for users of an application. Alternatively, you can use ASP.NET membership to store user credentials. For more information, see Managing Users Using ASP.NET Membership.

Produces a hash password suitable for storing in a configuration file based on the specified password and hash algorithm.

The hashed password. The password to hash. The hash algorithm to use. is a String that represents one of the enumeration values. 1.0.5000.0 2.0.0.0 Method System.Void The method is called when the creates an instance of the class. This method is not intended to be called from your code.

Initializes the object based on the configuration settings for the application.

1.0.5000.0 2.0.0.0 Property 2.0.0.0 System.String To be added. The property value is set in the configuration file for an ASP.NET application by using the loginUrl attribute of the forms configuration element. The is used by the method.

Gets the URL for the login page that the class will redirect to.

Method System.Void The method redirects to the URL specified in the query string using the ReturnURL variable name. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the method redirects to the return URL caller.aspx. If the ReturnURL variable does not exist, the method redirects to the URL in the property. ASP.NET automatically adds the return URL when the browser is redirected to the login page. By default, the ReturnUrl variable must refer to a page within the current application. If ReturnUrl refers to a page in a different application or on a different server, the methods redirects to the URL in the property. If you want to allow redirects to a page outside the current application, you must set the property to true using the enableCrossAppRedirects attribute of the forms configuration element. Setting the property to true to allow cross-application redirects is a potential security threat. For more information, see the property. If the property is true, and either the ReturnUrl variable is within the current application or the property is true, then the method issues an authentication ticket and places it in the default cookie using the method. If is false and the redirect path is to a URL in the current application, the ticket is issued as part of the redirect URL. If is false, is true, and the redirect URL does not refer to a page within the current application, the method issues an authentication ticket and places it in the property.

Redirects an authenticated user back to the originally requested URL or the default URL.

The authenticated user name. true to create a durable cookie (one that is saved across browser sessions); otherwise, false. 1.0.5000.0 2.0.0.0 Method System.Void The method redirects to the return URL specified in the query string using the ReturnURL variable name. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the method redirects to the return URL caller.aspx. If the ReturnURL variable does not exist, the method redirects to the URL in the property. ASP.NET automatically adds the return URL when the browser is redirected to the login page. By default, the ReturnUrl variable must refer to a page within the current application. If ReturnUrl refers to a page in a different application or on a different server, the method redirects to the URL in the property. If you want to allow redirects to a page outside the current application, you must set the property to true using the enableCrossAppRedirects attribute of the forms configuration element. Setting the property to true to allow cross-application redirects is a potential security threat. For more information, see the property. If the property is true, and either the ReturnUrl variable is within the current application or the property is true, then the method issues an authentication ticket and places it in the cookie specified by the parameter using the method. If is false and the redirect path is to a URL in the current application, the ticket is issued as part of the redirect URL. If is false, is true, and the redirect URL does not refer to a page within the current application, the method issues an authentication ticket and places it in the property.

Redirects an authenticated user back to the originally requested URL or the default URL using the specified cookie path for the forms-authentication cookie.

The authenticated user name. true to create a durable cookie (one that is saved across browser sessions); otherwise, false. The cookie path for the forms-authentication ticket. 1.0.5000.0 2.0.0.0 Method 2.0.0.0 System.Void The method redirects the browser to the . The method does not clear the forms-authentication cookie. You can use the method in conjunction with the method to log one user out and allow a different user to log in.

Redirects the browser to the login URL.

Method 2.0.0.0 System.Void The method redirects the browser to the and includes the value as the for the redirected URL. The method does not clear the forms-authentication cookie. You can use the method in conjunction with the method to log one user out and allow a different user to log in.

Redirects the browser to the login URL with the specified query string.

The query string to include with the redirect URL. Method System.Web.Security.FormsAuthenticationTicket The method updates the expiration date and time of the supplied if the current date and time minus the value is greater than the value minus the current date and time. The ticket is updated with the property set to the current date and time and the property set to the current date and time plus the original value minus the original value.

Conditionally updates the issue date and time and expiration date and time for a .

The updated . The forms-authentication ticket to update. 1.0.5000.0 2.0.0.0 Property System.Boolean To be added. The property value is set in the configuration file for an ASP.NET application by using the requireSSL attribute of the forms configuration element. You can specify in the Web.config file for your ASP.NET application whether SSL (Secure Sockets Layer) is required to return the forms-authentication cookie to the server by setting the requireSSL attribute . For more information, see . It is recommended that if you configure requireSSL as false, you also configure slidingExpiration as false, to reduce the amount of time for which a ticket is valid.

Gets a value indicating whether the forms-authentication cookie requires SSL in order to be returned to the server.

1.0.5000.0 2.0.0.0 Method System.Void The method adds a forms-authentication ticket to either the cookies collection, or to the URL if is false. The forms-authentication ticket supplies forms-authentication information to the next request made by the browser. With forms authentication, you can use the method when you want to authenticate a user but still retain control of the navigation with redirects.

Creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, or to the URL if you are using cookieless authentication.

The name of an authenticated user. This does not have to map to a Windows account. true to create a persistent cookie (one that is saved across browser sessions); otherwise, false. 1.0.5000.0 2.0.0.0 Method System.Void The method adds a forms-authentication ticket to either the cookies collection or the URL if is false. The forms-authentication ticket supplies forms-authentication information to the next request made by the browser. With forms authentication, you can use the method when you want to authenticate a user but still retain control of the navigation with redirects.

Creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, using the supplied cookie path, or using the URL if you are using cookieless authentication.

The name of an authenticated user. true to create a durable cookie (one that is saved across browser sessions); otherwise, false. The cookie path for the forms-authentication ticket. 1.0.5000.0 2.0.0.0 Method System.Void The method removes the forms-authentication ticket information from the cookie or the URL if is false. You can use the method in conjunction with the method to log one user out and allow a different user to log in. If you run exclusively in cookieless mode, or if you support both authenticated and anonymous users, you should explicitly control the redirect to the login page if you require special business logic to execute as a result of removing the anonymous identifier. When the method is called, a redirect to the application's login page is made by calling the method with the parameter set to false. The redirect does not take place until the current page has finished executing, so additional code can be run. If the code does not contain an explicit redirect to another page, the user is redirected to the login page configured in the application's configuration file. Calling the method only removes the forms authentication cookie. The Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie. To improve security when using a forms authentication cookie, you should do the following: Use absolute expiration for forms authentication cookies by setting the property to false. This limits the window in which a hijacked cookie can be replayed. Only issue and accept authentication cookies over Secure Sockets Layer (SSL), by setting the property to true and by running the entire Web site under SSL. Setting the property to true ensures that ASP.NET will never send an authentication cookie to the browser over a non-SSL connection; however, the client might not honor the secure setting on the cookie. This means the client might send the forms authentication cookie over a non-SSL connection, thus leaving it vulnerable to hijack. You can prevent a client from sending the forms authentication cookie in the clear by running the entire Web site under SSL. Use persistent storage on the server to record when a user logs out of the Web site, and then use an application event such as event to determine whether the current user was authenticated with forms authentication. If the user was authenticated with forms authentication, and if the information in persistent storage indicates the user is logged out, immediately clear the authentication cookie and redirect the browser back to the login page. After a successful login, update storage to reflect that the user is logged in. When you use this method, your application must track the logged-in status of the user, and must force idle users to log out.

Removes the forms-authentication ticket from the browser.

1.0.5000.0 2.0.0.0 Property System.Boolean To be added. The property value is set using the slidingExpiration attribute of the forms configuration element. Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value. We recommend that if you configure requireSSL as false, you also configure slidingExpiration as false, to reduce the amount of time for which a ticket is valid.

Gets a value indicating whether sliding expiration is enabled.

1.0.5000.0 2.0.0.0