Forms Authentication

MSDN How To's

• How To: Create GenericPrincipal Objects with Forms Authentication - This How To shows you how to create and handle GenericPrincipal and FormsIdentity objects when using Forms authentication.
• How To: Protect Forms Authentication in ASP.NET 2.0 - This How To shows you how to securely configure and use forms authentication with ASP.NET 2.0 applications. Key factors to consider include properly securing the authentication ticket and securing the user identity store and access to that store. Failing to protect authentication tickets is a common vulnerability that can lead to unauthorized spoofing and impersonation, session hijacking, and elevation of privilege. Other common vulnerabilities include failing to secure the user store and failing to enforce strong passwords. This How To describes how to apply appropriate countermeasures such as using the defaults of SHA1 and AES for hashing and encryption, applying session lifetime restrictions, and protecting authentication tickets with SSL.
• How To: Use Forms Authentication with Active Directory in ASP.NET 2.0 - This How To shows you how to use forms authentication with Microsoft® Active Directory® directory service by using the ActiveDirectoryMembershipProvider. The How To shows you how to configure the provider and create and authenticate users. It also shows you how to enforce the password complexity rules defined by your domain policy and how you can extend your Active Directory schema to store password questions and answers. This allows you to support password resets if users forget their passwords.
• How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0 - This How To shows you how to use the ASP.NET 2.0 membership feature with multiple Active Directory domains. It shows you how to configure an ActiveDirectoryMembershipProvider for each domain and the corresponding connection strings. It also shows how to get an instance of MembershipProvider corresponding to a specific domain and how to call membership APIs, such as ValidateUser, through the relevant provider.
• How To: Use Forms Authentication with SQL Server in ASP.NET 2.0 - This How To shows you how you can use forms authentication with the SQL Server membership provider. Forms authentication with SQL Server is most applicable in situations where users of your application are not part of your Windows domain, and as a result, they do not have Active Directory accounts. This How To explains how to create a login page using the new membership Login control, configure your Web application to use forms authentication, create the user store database, grant database access to your Web application account, configure ASP.NET membership settings, and set password complexity rules.

The Basics

• ASP.NET Forms Auth Basics - Brief but clean example by Cory Isakson showing FormsAuth on ASP.NET 2.0.
• Setting up SSL/HTTPS with Forms Auth - Step by step setup of Forms Auth with SSL.
• Overview of Auth Mechanisms - Amod Deshpande has a fine overview of Windows auth options. Pay close attention to his excellent flow diagrams in the Web Application Authentication section.
• Login Controls in the QuickStart - Explore the various Login-specific controls available to you in ASP.NET.

CardSpace

• Use Windows CardSpace with ASP.NET Forms Authentication - Kevin Hammond includes code an a screencast on one way to get CardSpace to work with ASP.NET Forms Auth.
• ASP.NET Control for CardSpace - Dominick Baier ups the ante with a series CardSpace controls for ASP.NET.
• Screencast: CardSpace and Forms Auth - Alexy Kovyrin extends an existing application using the AspNetSqlMembershipProvider to use CardSpace.

Gotchas

• Scott Forsyth on the Forms Auth Timeout - Scott solves a common but obscure gotcha with the FormsAuthenticationTicket.
• ViewStateUserKey and FormsAuthentication - Another edge case for FormsAuth and a fun bit of forensics.
• FormsAuthentication and Odd Timeouts - An exploration of the HTTP Headers involved in FormsAuthentication and things that might bite you with a misconfigured site.