4. Authenticate Method
• Validates a user name and password against
credentials stored in the configuration file for
an application.
5. Hashing of Password
• Password can not be plain text.
• There are various Hashing mechanisms
supported by asp.net.
– MD5
– SHA1
6. HashPasswordForStoringInConfigFile
Method
• Produces a hash password suitable for storing
in a configuration file based on the specified
password and hash algorithm.
• It takes two parameters.
• The first parameter specifies the clear-text
password, and the second one specifies the
hash algorithm you should use.
7. Example
• string hashedPwd =
FormsAuthentication.HashPasswordForStorin
gInConfigFile(clearTextPassword, "SHA1");
• The result of the method call is the hashed
version of the password. This result needs to
be stored in the web.config
8. Store Hashed password in web.config
file
ConfigurationSectionGroup SystemWeb =
MyConfig.SectionGroups["system.web"];
AuthenticationSection AuthSec =
(AuthenticationSection)SystemWeb.Sections["auth
entication"];
AuthSec.Forms.Credentials.Users.Add(
new FormsAuthenticationUser(UsernameText.Text,
PasswordText.Text));
MyConfig.Save()
9. Cookieless Forms Authentication
• If you don’t want the runtime to use cookies,
you configure this through the cookieless
attribute of the <forms /> tag in the
<authentication /> section
14. Problems with Web.Config
• Potential lack of security.
• No support for adding user-specific
information.
• Poor performance with a large number of
users.
15. Persistent Cookie
• Meaning of Creating Persistent cookie is that
It will maintain user information across
various browser sessions.
• If cookie is persistent then even user closes
browser and reopens it , the session would be
running.
• Session is killed only with use of SignOut
Method.
16. Explicitly killing session
• Persistent cookies are not affected by the
timeout attribute that is set in the <forms>
element of the web.config file.
• If you want the persistent cookie to eventually
expire sometime in the future, you have to
use the GetAuthCookie() method of
FormsAuthentication, set the expiry date and
time