Forms authentication is the most widely used authentication mechanism for Internet-facing ASP.NET sites. The appeal of forms authentication is that sites with only a few pages and simple authentication requirements can make use of forms authentication, and complex sites can still rely on forms authentication for the basic handling of authenticating users. ASP.NET 3.5 continues to use the same forms authentication that was improved in ASP.NET 2.0, with some enhancements that allow the integration of forms authentication on IIS 7.0 so that not only ASP.NET resources can be authenticated, but also other types of content. Moreover, the ASP.NET 3.5 runtime resembles that of ASP.NET 2.0, with additional features.
This chapter covers the following topics on ASP.NET 3.5 forms authentication:
Reviewing how forms authentication works in the HTTP pipeline (most of this was covered in Chapter 3).
Making changes to the behavior of persistent forms authentication tickets.
Securing the forms authentication payload.
Securing forms authentication cookies with HttpOnly and requireSSL.
Using cookieless support in forms authentication.
Using forms authentication across ASP.NET 1.1 and ASP.NET 3.5.
Using forms authentication across different content types.
Leveraging the UserData property of FormsAuthenticationTicket.
Passing forms authentication tickets between applications.
Enforcing a single login and preventing replayed tickets after logout.