Custom Forms Authentication - Cleaning up

My last few posts revolved around custom forms authentication. After stumbling and bumbling through the process, I had to go back and perform some minor cleanup. So lets grab a mop and bucket, a few cold ones, and get our hands dirty...

Why is my Global.asax's Application_AuthenticateRequest called multiple times?

I ended up "googling" a similar question to the one above, and it's one of those things that if you take the time to think about it, you know the answer. The Application_AuthenticateRequest routine is used on every page request. So even though your user may attempt to go to Default.aspx, this can actually invoke two or three page requests.

So to circumvent this "problem" (I hate to call something a problem when it's doing what it's supposed to do), we just check if the current user is known at the beginning of every request, like so:

if (HttpContext.Current.User = null)
{
We dont know who they are, so authenticate
}
else
{
We know who they are
}

What good is Custom Forms Authentication if I dont show a login form?

The reason I like doing Custom Forms Authentication is because it's tweaking an existing security principle from Microsoft. They built in all code, functions, classes, and settings to globally authenticate a user. If we make the proper entries in our web.config to use Forms Authentication, we can make use of the Global.asax's Application_AuthenticateRequest to perform our authentication routine for our end-user.

For example, let's say you authenticate your user into your application by performing a Form POST of data from your host site, and this is the only way you want your users to enter your app. If your Application_AuthenticateRequest doesn't recognize the user, your authentication routine can check for a Form POST of data from your host site. If it's there... authenticate them, if it's not.. dont authenticate them, it's that simple.

And the coup de grace, you can make use of the "loginForm" parameter in your web.config's Forms Authentication settings to actually make your "You are not authorized page". Therefore, if the user enters, and the user is not authorized to be on the site, the user is still redirected to page referenced in the loginForm parameter.

How can I keep my users authenticated without a login form?

I wanted my users to eventually timeout, unless they remained active within the site. To perform this, I made use of the slidingExpiration parameter. Place this in your web.config's Forms Authentication settings, like so:

forms name="foo" loginUrl="notAuthorized.aspx" protection="All" timeout="30" path="/" slidingExpiration="true"

With sliding expiration, everytime a request is made, the clock "resets" on the forms authentication cookie. So, with my settings above, that means that every time the user uses my site, their identity ticket's expiration is set to the current time+30 minutes.


I hope you enjoyed my last few posts regarding Forms Authentication. It is certainly a well-built tool for ASP.NET that requires nothing more than comfort with using cookies on your site.