Use Forms authentication to manage client registration and authentication at the application level, instead of relying on the authentication mechanisms provided by the operating system.
Because Forms authentication sends the user name and password to the server as plain text, you should use Secure Sockets Layer (SSL) encryption for the logon page and for all other pages in your application except the home page.
UI Element List
Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is login.aspx.
Authentication cookie time-out (in minutes)
Specifies the time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the time-out attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed.
Specifies where to store the Forms authentication ticket. The options are:
- Auto Detect - Cookies are used if the device profile supports cookies. Otherwise, no cookies are used. For desktop browsers that are known to support cookies, ASP.NET checks to determine whether cookies are enabled.
- Use device profile - Cookies are used if the device profile supports cookies. Otherwise, no cookies are used. ASP.NET does not check to determine whether cookies are enabled on devices that support cookies. This is the default setting.
Sets the name of the Forms authentication cookie. The default is .ASPXAUTH.
Specifies the type of encryption, if any, to use for cookies. The options are:
- Encryption and validation - Specifies that both data validation and encryption are used to help protect the cookie. This option uses the configured data validation algorithm (based on the <machineKey> element). Triple-DES (3DES) is used for encryption, if available and if the key is long enough (48 bytes or more). Encryption and validation is the default, and recommended, value.
- Encryption - Specifies that the cookie is encrypted using Triple-DES or DES, but data validation is not performed on the cookie. Cookies used in this manner might be subject to plaintext attacks.
- Validation - Specifies that a validation scheme verifies that the contents of an encrypted cookie have not been changed in transit. The cookie is created using cookie validation by concatenating a validation key with the cookie data, computing a message authentication code (MAC), and appending the MAC to the outgoing cookie.
Specifies whether an SSL connection is required to transmit the authentication cookie. By default, this is disabled.
Extend cookie expiration on every request
Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expire upon each request during a single session. By default, this is enabled.