Forms and Windows Based Authentication

Forms Authentication

Forms authentication uses an HTML form to send user credentials to the server and is not an internet standard. This authentication is only appropriate when called from a web application, so that the user can interact with the HTML form.

How it works:

• Client requests a resource that requires authentication and if user is not authenticated, server returns HTTP 302 (Found) and redirects to a login page
• User enters credentials and submits the form. Then the server returns another HTTP 302 that redirects back to the original URI along with authentication cookie
• The client requests the resource again. The request includes the authentication cookie, so the server grants the request
• HTTP Modules are managed classes whose code is executed in response to a particular event in the request life cycle. Below two modules related to Forms authentication are:
  • FormsAuthenticationModule: authenticates user by inspecting the forms authentication which is typically included in user cookies collection. If no forms authentication is present, the user is anonymous
  • UrlAuthorizationModule: determines whether or not the user is authorized to access the requested URL. This module determines the authority by consulting authorization rules specified in configuration files

Advantages of using Forms Authentication:

• Easy to implement: built into ASP.NET
• Uses ASP.NET membership provider, which makes it easy to manage user accounts

Disadvantages of using Forms Authentication:

• Not a standard HTTP authentication mechanism; uses HTTP cookies instead of the standard Authorization header
• Requires browser client
• Credentials are sent as plaintext
• Vulnerable to cross site request forgery (CSRF); requires anti-CSRF measures
• Difficult to use form nonbrowser clients. Login requires a browser
• User credentials are sent in the request
• Some users disable cookies

How to Implement: Forms Authentication can be implemented as below:

• Enabling Forms Authentication: The application's authentication configuration is specified through the element in web.config and will have Windows, Forms, Passport and None and below is the syntax in web.config to use Forms authentication:

  <configuration>
  

  <system.web>

  <authentication mode="Forms" />
  

  </system.web>

  </configuration>

Windows Authentication

Windows authentication enables users to log in with their Windows credentials, using Kerberos or NTLM. Client sends credentials in the Authorization header. This type of authentication works best for intranet environments

Advantages of using Windows Authentication:

• Built into IIS
• User credentials will not be sent as part of request
• No need to provide user credentials in case if the client machine belongs to the domain

Disadvantages of using Windows Authentication:

• Not suitable for Internet applications
• Either Kerberos or NTLM support is required in the client
• Client must be added to the Domain's Active Directory

How to Implement: Windows Authentication can be implemented as below:

• Enabling Windows Authentication: The application's authentication configuration is specified through the element in web.config and will have Windows, Forms, Passport and None and below is the syntax in web.config to use Forms authentication:

  <configuration>
  

  <system.web>

  <authentication mode="windows" />
  

  </system.web>

  </configuration>

With this I am concluding the illustration. Feel free to share your feedback. Happy Programming !!!