Skip to content

Membership is not the same as Forms Authentication

June 4, 2012

Using Forms Authentication in an ASP.NET application is comprised of two steps:

1) Verify the user’s identity.

2) Authenticate subsequent requests from the user.

For #1: To verify a user’s identity we need to determine what database to consult. This can be done with a custom database or this can be done with Membership API and the MembershipProvider model.

For #2: To authenticate subsequent requests from the user we need a way to correlate requests from the same user and typically we use a cookie-based scheme. Forms authentication provides a framework for this and it implements it in a secure manner. Using Session to track the user is also a cookie-based scheme but it was not designed for security and should be avoided (in addition to all the other reasons).

Forms Authentication issues a cookie and embeds the username inside the cookie. Upon subsequent requests to the server Forms reads the cookie, validates it, extracts the username and assigns the username to User.Identity.Name (as well as Thread.CurrentPrincipal.Identity.Name).

To implement the cookie-based scheme securely Forms Authentication does several things:

1) Protects the cookie by encrypting and MACing it. This provides protection against people reading the cookie (including the user) and tampering with the value (including the user).

2) Provides a secure timeout on the cookie. Forms does not rely upon the normal cookie timeout — the user could easily change this. Instead Forms embeds the cookie timeout in the encrypted/MAC’d cookie value.

3) Sets the cookie as HTTP-only. This prevents client-side JavaScript from accessing the cookie (Session, to its credit, does this as well).

4) Allows the cookie to be marked as SSL-only. This, unfortunately, is not the default nor required (but I think it should for both… well, at least the default). The way this is configured is to set in web.config:

<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true" />
  </authentication>
</system.web>

This will configure Forms to only allow the cookie to be issued if the login request is using SSL. It also configures the browser to only send the cookie back to the server if the request is SSL.

Protecting the request that contains the login information is obvious, but protecting the cookie on subsequent requests is equally important. We don’t want the cookie intercepted on the network and then replayed by an attacker. This is often overlooked or dismissed as not important, but think about it — if the page being requested needed authentication in the first place (presumably because it contained sensitive data like banking or healthcare information) then would we want the contents intercepted by an eavesdropper? I don’t think so, so we need to protect both the cookie and the contents of the page. It’s imperative that SSL be used for any request that uses authentication.

So, the important aspects of security really revolve around Forms Authentication and not Membership. And in fact you don’t need to use Membership to use Forms Authentication. Membership is just an abstraction around a database look-up. It’s important to distinguish and understand what each does so that you can understand how your security is really working and evaluate which pieces you really need and want.

12 Comments leave one →
  1. baoh permalink
    June 8, 2012 3:44 am

    Great idea with the requireSSL but when I tried that I got exception at
    FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
    the current request is not SSl …

    • June 8, 2012 10:57 am

      @baoh — exactly! That’s what it’s supposed to do. You need to be using SSL when you issue the cookie.

  2. June 20, 2012 5:49 am

    Excellent post.

  3. Eyad permalink
    June 7, 2013 9:19 am

    Excellent post.
    Thank you for sharing

  4. chuksgerrard permalink
    August 1, 2013 11:10 am

    how can i use forms authentication without membership. i want to do something like save a user to my db, set the cookie (making the request authentic) and possibly check for request.isauthenticated

    • August 1, 2013 11:11 am

      You would have to write the code to validate credentials and once you’ve done that just call FormsAuthentication.SetAuthCookie or FormsAuthentication.RedirectFromLoginPage.

  5. Mateburg permalink
    October 17, 2013 4:00 am

    Nice explanation, thank you!

  6. santhosh permalink
    December 31, 2013 6:03 am

    I got good information about security by this great post….

  7. Abir permalink
    May 9, 2014 3:09 pm

    Excellent post, Thanks!

Trackbacks

  1. How Forms Authentication implements a secure timeout on the cookie? | Computers, Programming, Technology, Music, Literature
  2. Announcing MembershipReboot | brockallen
  3. The good, the bad and the ugly of ASP.NET Identity | brockallen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: