Search code examples
c#asp.netformsauthentication

log in with FormsAuthentication.Authenticate

I am trying to create an authentication cookie that a user can log in with on my website.

I have a login form like this:

<asp:TextBox ID="txtUsername" runat="server" MaxLength="10" Text="Sam001" ></asp:TextBox>
<asp:TextBox ID="txtPassword" runat="server" MaxLength="10" Text="Pass01" ></asp:TextBox>

<asp:Label ID="status" runat="server" ></asp:Label>

<asp:Button CssClass="button" ID="Submit" runat="server" Text="Logga in" OnClick="Login_Click" />

And then that button does this in code behind:

protected void Login_Click(object sender, EventArgs e)
{
    DbReader listData = new DbReader();
    Employee tempEmp = null;

    if ((tempEmp = listData.GetUser(txtUsername.Text, txtPassword.Text)) != null) // check if username and pw was correct
    {
        FormsAuthentication.SetAuthCookie(tempEmp.EID, false); // create auth cookie

        Debug.WriteLine("auth cookie set for: " + tempEmp.EID);

        if (FormsAuthentication.Authenticate(tempEmp.EID, txtPassword.Text)) // check if name and pass is valid
        {
            Debug.WriteLine("auth validation ok");

            FormsAuthentication.RedirectFromLoginPage(tempEmp.EID, false); // redirect


            status.Text = User.Identity.Name; // set status to the Name property of the auth cookie
        }
        else
        {
            status.Text = "failed to Authenticate";
        }
    }
    else
    {
        status.Text = "failed to get user";
    }
}

and in Web.config it looks like this:

<authentication mode="Forms">
  <forms name="LoggedInUser" loginUrl="~/Login.aspx" protection="All" timeout="10" path="/" />
</authentication>

How come I always get "failed to Authenticate"? What am I doing wrong when I want to create a authentication cookie that logged in users need to access certain pages?

Solution

  • The Authenticate method works against a list of users and passwords stored in web.config.

    So to use this, your web.config needs to look something like:

    <authentication mode="Forms">
  <forms name="LoggedInUser" loginUrl="~/Login.aspx" protection="All" timeout="10" path="/" />
    <credentials passwordFormat="SHA1">
      <user name="user1" password="27CE4CA7FBF00685AF2F617E3F5BBCAFF7B7403C" />
      <user name="user2" password="D108F80936F78DFDD333141EBC985B0233A30C7A" />
      <user name="user3" password="7BDB09781A3F23885CD43177C0508B375CB1B7E9"/>
    </credentials>
  </forms>
</authentication>

    This example was obtained from the Microsoft page describing the authenticate method.

    Also, it is important to note that Microsoft has declared this method obsolete and suggests using one of the Membership providers instead.