Understanding Authentication and Authorization in Asp.Net WebForms

Understanding Authentication and Authorization in Asp.Net WebForms


Asp.Net Webforms is a legacy technology now a days but there are still lots of applications running using WebForms. Also having a clear understanding of the processes involved in WebForms would help us compare the process involved in MVC, WebApi or AspNetCore applications.

Most of the developers fail to understand the basic building blocks of the technology because of which they struggle a lot to resolve issues in the application.

The Asp.Net pipeline processes a web request using one or more modules and one handler for the specific resource.
Most of us would not know that an .ASPX is also processed by HttpHandler which is called the Page handler that generates the response to a given request.
But before a Page handler processes the request , it goes through one or more modules and Authentication is one such module that processes the request prior to the Page Handler.
If the Authentication module fails to retrieve a valid user identity the request is terminated and the handler is not executed.
All this happens at the IIS level in integrated mode with Asp.Net.

Thus it is very important for us to understand the request processing pipeline of not just Asp.Net WebForms but be it any server side technology we are working with.

Authentication and Authorization

Authentication and Authorization are very important aspects of a web application to keep it secure.
Authentication is the process of identifying who a user is. It is very important to secure our web application from being accessed by Unauthorized User.
Authorization is the process of verifying what the Authenticated User has access to.

Let us understand the process of Authentication and Authorization in an Asp.Net Webforms application in simple steps.

  1. Specifying the Authentication Mode
  2. Validating the credentials
  3. Generating the Authentication Cookie
  4. Setting the value of the HttpContext.User property
  5. Using the HttpContext.User property for Authorization

1. Specifying the Authentication Mode

The authentication mode used in the Webforms Application is specified in the webconfig under the system.web node.

  <authentication mode="Forms">
    <forms name=".ASPXAUTH" loginUrl="">

The value of the mode attribute in the authentication node specifies the type of Authentication used in the application.
In the sample shared above the authentication mode is Forms Authentication.

We can have different types of authentication modes as mentioned below –

  1. Forms Authentication
  2. Windows Authentication (Default)
  3. Passport Authentication
  4. None
// Web.config file     
<authentication mode= "[Windows|Forms|Passport|None]"/>

2. Validating the credentials

After we have specified the mode of authentication for our application the next step is to validate the credentials against a database.
We can maintain the credentials of the user by creating different tables for User and Roles etc… in our database manually.
But there are built in providers that take up the heavy lifting of managing the credentials and roles in the database. They also provide APIs for creating and managing user credentials and roles effectively. With these providers in place the user need not worry about writing custom logic for creating and managing users and roles.
Membership provider was one of the oldest provider to manage credentials through the sql server database.

Later Identity Service provider was introduced with a greater flexibility and effective APIs.

Once the user credentials are validated an Authentication Cookie is generated and sent back in the response after redirecting the user to the intended page. If we are using the Membership provider then we will have to generate the cookie manually by the FormsAuthentication.SetAuthCookie method when a user is logged in after providing the correct credentials.
This method generates a cookie for the logged in user and attaches it to the cookie collection of the response , or to the URL if you are using cookieless authentication.
In case of Identity Service providers the SignInAsync creates an encrypted cookie and adds it to the current response.
This Authentication Cookie is then sent with each subsequent request and validated by the server.

The Authentication Cookie plays a very important role in keeping the user logged in and access multiple resouces in the application without the need to pass user credentials every time making a request.

4. Setting the value of the HttpContext.User property

After the authentication cookie is generated and added to the cookie collection of the response, when a user issues another request to the server the FormsAuthentication module intercepts the request to get the authentication cookie.
The cookie is then decrypted to get a FormAuthentication ticket and converts it to the Principal object.
The Principal object is assigned to the User property of the HttpContext.
The User property contains the Identity of the User.
This is a very important step in the overall authentication process. If a valid token is not found at this step the authentication fails and the user is redirected to the redirect URL or login url in general to enter the valid credentials.

5. Using the HttpContext.User property for Authorization

Once the FormsAuthentication module or any other authentication module validates the authentication cookie and derives and sets the User property of the HttpContext, this value is further used for the authorization on the page.
The User property has a method IsInRole() that checks if the current user is in a specific role to allow or deny the access of the URL or sections on the page to the user.
The Authorization can be done from the Config or it can be done at the page level to allow or deny access to the resource.

Config level Authorization

<location path="to protected folder">
      <deny users="?"/>

Code level Authorization


<% if (HttpContext.Current.User.IsInRole("Administrators")) { %>
  <a href="/admin">Go To Admin</a>
<% } %>

The above code displays the link “Go To Admin” to the user whose role is “Administrators”.

Code Behind

protected void Page_Load(object sender, EventArgs e)
    if (!User.Identity.IsAuthenticated)
    if (!Roles.IsUserInRole(User.Identity.Name, "Administrators"))
        MessageLabel.Text = "Only administrators can view this.";
        SecretPanel.Visible = false;


In this post we discussed the different processes involved in authenticating a user in a Asp.Net WebForms application using FormsAuthentication.
The FormsAuthenticationModule plays an important role in validating the Authentication Cookie and setting the User property. The User property has methods and properties to access the Identity and Role of a User which is further used to perform Authorization on the page.