Home > ASP.NET > ASP.Net 2.0 Form Authentication

ASP.Net 2.0 Form Authentication

When we tried to use existing business library originally developed for the Windows application in an ASP.Net project, we found that there is a problem in using our security library. The problem was loosing the Identity object in the CurrentPrincipal every time that I the web site does the post back. I posted following question to the ASP.Net forum:

I have a problem with custom authentication on ASP.Net. The website check the login user and password then set the System.Threading.Thread.CurrentPrincipal to an instance of a Principal object implemented IPrincipal Interface.

System.Threading.Thread.CurrentPrincipal = New BusinessPrincipal (“user”, “pass”)

After this stage the System.Threading.Thread.CurrentPrincipal will hold the new user identity:



However, on the next post back the System.Threading.Thread.CurrentPrincipal gets rest, and no longer hold the identity object that has been set in the previous postback



I tested both “Forms” and “Windows” Authentication modes and made no difference:

<authentication mode=”Forms”/>

I will appreciate any comment which can help me to work around this problem.

From the replies to my post I learn that there is much more in to ASP.Net authentication that what I thought. One of the moderators of the forum explained to me that:

    Remember that a Windows application actually has a session, ASP.NET just fakes it. Each and every request to an ASP.NET application starts life as a blank sheet. Some parts are filled in by ASP.NET to partially create the illusion of a session, but…

I did further study in ASP.Net authentication and it seems the problem can be solved very easily by using built-in FORM authentication in ASP.Net 2.0

In order to validate the user against a custom table in your database or any similar method you can simple use the Login control in ASP.Net required following steps:

STEP1: Set the authentication mode to FORM

<authentication mode=”Forms”>

STEP2: Use Login component in ASP page

<asp:Login ID=”Login1″ runat=”server” FailureAction=”RedirectToLoginPage” />

STEP3: On the authenticate event of the Login object validate the user and if user is valid use FormsAuthentication.RedirectFromLoginPage to reflect the result in ASP authentication engine.


Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate

   With Login1

         If .UserName.ToUpper = "TOM".ToUpper and .Password = "pass"  Then

               FormsAuthentication.RedirectFromLoginPage(.UserName, .RememberMeSet)

         End If

    End With

End Sub

From this moment System.Threading.Thread.CurrentPrincipal.Identity.Name will held the user name, and all the business layer codes can use System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated as the basic security check.

What still remains is the Role base authentication. We do not need it in this project, but I guess we will come across this very soon.

Check out the sample project here.



Categories: ASP.NET
  1. No comments yet.
  1. December 9, 2008 at 3:13 pm

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: