Authentication and Authorization
Security has two concepts:
Authentication: This is the process of determining user’s identities and forcing the users to prove that what they are who they claim to be. It Usually involves entering a username and password into some sort of Login page or window. These username and password are then authenticated against the window user’s accounts on a computer, a list of users in a file, or a back-end database.
Authorization: Once a user is authenticated, authorization is the process of determining whether the user has sufficient permission to perform a given action.
Authentication and authorization are the cornerstones of a secure user-based site. The different authentication modes are established through settings that can be applied to the applications web.config file.
The two types of authentication to secure an ASP.NET website:
Form Authentication: With form authentication, ASP.NET is in charge of authenticating users, tracking them, and authorizing every request. Usually, forms authentication works in conjunction with a database where you store user information (such as username and password), but you have complete flexibility. Form Authentication is the best and most flexible way to use.You could even store user information in a plain text file or write customized login code that calls a remote server.
Windows Authentication: With Windows authentication, the web server forces every user to log in as a Window user. This system requires that all users have Windows user accounts on the server. This is not good for the public web applications.
The <authentication> Node
You use the <authentication> node in the application’s web.config file to set the type of authentication your ASP.NET application requires:
<system.web>
<authentication mode=”Windows|Forms|Passport|None”>
</authentication>
</system.web>
The <authentication> node uses the mode attribute to set the form of authentication that is to be used. Options include Windows, Forms, Passport, and None.