Once a user has been succesfully authenticated, we can provide him with an ID card in the form of a cookie, by using FormsAuthentication :
FormsAuthentication.SetAuthCookie(username, true);
This cookie is encrypted in a way that make it very difficult to spoof an ID card :
.ASPXAUTH7A70ED1522FD48DAF9916C9A24AB7A19117478989BA2
41DCF79D7E6FA321D9E538A3533F7F9778499121B2D1D8A4F9C36
55B805DBA7E8EE19233AC8733A20BED170FF675B6CBA8DAD92BA5
9FB2B1D5B7184C7A8A30E8251726A41D6CA5E92C3Blocalhost/9
728267362585629942014186081504029942010*
The client's browser then flashes this ID card every time it requests a page from our web site. IIS decrypts the cookie and assigns the username it contains to the HttpContext of the page's execution :
this.Context.User.Identity.Name
We can see this identity as an integral part of the submitted request, and we can trust it as being legitimate. This functionality is activated through the following web configuration :
<configuration>
<system.web>
<authentication mode="Forms"/>
</system.web>
</configuration>
No comments:
Post a Comment