FormsAuthentication in ASP.NET

HTML clipboard

In Web.Config File

Here we show you a basic example of what a web.config file looks like when it has be set to use form authentication. I will go in further detail and explain the tags.

<?xml version="1.0"?>
  <authentication mode="Forms">
          <forms loginUrl="login.aspx" protection="All" timeout="30">
            <credentials passwordFormat="Clear">
               <user name="admin" password="adminpwd"/>
               <user name="coder" password="coderpwd"/>
      <!--After checking username and password ,Allow the user 'admin'and don't allow the user 'coder'-->
   <allow users="admin"/>
   <deny users="coder"/>
                   <compilation debug="true"/></system.web>

In web.config I use <authentication> tag.

<authentication> tag

Here we come to our first tag for authentication, which is then called <authentication>. We see that there is one attribute for this tag and it specifies the type of authentication that will be applied to this site. The choices are Windows|Forms|Passport|None. In this Article I am going to l focuses on Forms authentication

 This <authentication > is used to check the user 'username' and 'password' is valid are not.Here username and password have to mention in a tag called <user>.it takes two attributes 'name' and 'password'.One <user> tag stores only one user username and password.if your going to check more than one user then you have to wrtie another <user> tag.

After checking User username and password by using <authentication> it goes to <authorization>.

<credentials> tag

This is an optional section if you want to specify the username/password combinations in here. We will first discuss authentication with passwords in the web.config file and I will later highlight how you can store the usernames and passwords in a database or XML file. The credentials tag also has an attribute called passwordFormat. Your choices for password format are: Clear|SHA1|MD5.
We still stick with clear text passwords for now and talk about encrypting the passwords further down.

<authorization> authorization is used to give access rights to a particular user or more users.and it is also used not to give access rights to a particular user or more users.

It has two tags <allow> and <deny>.it takes 'users' users attributes is used to set a username or to give a username

Example: <authorization>
      <!--After checking username and password ,Allow the user 'admin'and don't allow the user 'coder'-->
   <allow users="admin"/>
   <deny users="coder"/>

Giving access to all users:

   <!--After checking username and password ,Allow all the users-->
   <allow users="*"/>

Not to Allow any users :

   <!--After checking username and password ,Not to Allow any users-->
   <deny users="*"/>

Giving Access to all unknown users:

  <!--After checking username and password ,Allow  all unknown users-->
   <allow users="?"/>

Create a Login page with with two textboes as username and password, and keep one button as login

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">

<html xmlns="" >
<head runat="server">
    <title>Untitled Page</title>

    <form id="form1" runat="server">
        <asp:TextBox ID="username" runat="server" style="z-index: 100; left: 374px; position: absolute; top: 109px" Width="144px"></asp:TextBox>
        <asp:TextBox ID="password" textmode=Password cssclass="text"  runat="server" style="z-index: 101; left: 375px; position: absolute; top: 145px" Width="142px"></asp:TextBox>
        <asp:Button ID="Button1" runat="server" onclick="Login_Click" text="  Login  " cssclass="button" style="z-index: 102; left: 408px; position: absolute; top: 178px" />
        <asp:Label ID="Label1" runat="server" Style="z-index: 105; left: 283px; position: absolute;
            top: 111px" Text="User Name :"></asp:Label>
        <asp:Label ID="Label2" runat="server" Style="z-index: 104; left: 292px; position: absolute;
            top: 145px" Text="Password :"></asp:Label>

In login.aspx.cs page:

FormsAuthentication.Authenticate(username.Text, password.Text))

Authenticate() takes two is used to Validate a username and password against credentials stored in configuaration file for an application.Authenticate method is to be used with 'FormsAuthentication' Class.

 It Reutns Bool. If the username and password is not valid then you can use else part to show 'user is Invalid'

if (FormsAuthentication.Authenticate(username.Text, password.Text))

"Invalid Login");


If the username and password is valid it Redirect to another .aspx page as follows


   if (FormsAuthentication.Authenticate(username.Text, password.Text))
FormsAuthentication.RedirectFromLoginPage(username.Text, true);


If the username and password is valid and it checks the <authorization> which user have to send a particular page or not.if all conditons is true then it sends to a another page which page you want. 

Valid Image:


The complete code in

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;

public partial class _Default : System.Web.UI.Page
protected void Page_Load(object sender, EventArgs e)
        Label4.Visible =
protected void Login_Click(object sender, EventArgs e)

            if (FormsAuthentication.Authenticate(username.Text, password.Text))
FormsAuthentication.RedirectFromLoginPage(username.Text, true);
                Label4.Visible =