ASP.NET 3.5 For Dummies®

17.3. Creating the Membership Database

This Web application uses a SQL Server Express database to store user information. The Fabrikam site recognizes three categories of users:

• Anonymous visitors: These users don't need to log in and are not included in the Membership database. They can visit most pages except the catalog and the people pages.

• Members: Users who register for access.

• Administrators: These are superusers who can add and remove members and generally manage the site. In addition to being registered users, they belong to the Administrators role.

17.3.1. Configuring forms authentication

Forms authentication is the most common type of security for Web sites on the Internet. When users request a restricted page, ASP.NET redirects them to a login page. After the user logs in, the Web server passes the browser a secure, in-memory cookie. Every time the browser requests a secure page from the site, the browser presents the cookie. ASP.NET reads the cookie and, if it's valid, allows the browser to continue.

The in-memory cookie (one that's not saved on the user's hard drive) expires when the user closes the browser. It also expires after 20 minutes (the default) if the user hasn't requested any more pages from the site. This is why you often have to log back in to a site that you left open during a coffee break.

To configure forms authentication: