Using Forms Authentication with ASP.NET AJAX
You can use the Microsoft AJAX Library authentication service to verify credentials that are stored as part of the ASP.NET membership application service. You can access the authentication service from client script by using the AuthenticationService class, which supports the following methods:
login. This method validates the user credentials by using the default membership provider. If the credentials are verified, the method sends a forms authentication cookie to the browser. Most ASP.NET AJAX applications will use the login method, because forms-authenticated applications require an authentication cookie in the browser.
logout. This method clears the forms authentication cookie.
Configuring the Server
The server provides the infrastructure to process the identification credentials such as name and password from a user, and to validate those credentials. The forms authentication feature in ASP.NET AJAX enables you to authenticate the user's login name and password users by using a login form. If the application authenticates the request, the server issues a ticket that contains a key for reestablishing the user identity in subsequent requests.
To support authentication in client script, the server must be configured as described in the following sections.
For more information about authentication in ASP.NET, see How ASP.NET Security Works and Managing Users by Using Membership.
Enabling the Authentication Service
To use the authentication service from client script, you must explicitly enable the authentication service by using the following element in the application's Web.config file:
<authenticationService enabled="true" />
For more information, see Configuring ASP.NET AJAX.
The authentication service requires forms authentication to be enabled. The following example shows how to enable forms authentication in the application's Web.config file.
The browser must have cookies enabled. The authentication service uses a cookie for the authentication ticket that reestablishes the user's identity during subsequent requests.
Configuring Access to the Membership Database
By default, ASP.NET uses a SQL Server Express database to store membership information. The connection string for the database is defined in the Machine.config file and resembles the following:
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;
User Instance=true" providerName="System.Data.SqlClient" />
If you are using a different database for membership information, you can create a <connectionStrings> element in the application Web.config file that points to that database. For more information, see Configuring an ASP.NET Application to Use Membership.
Creating a Restricted Folder
If you want to limit access to information so that only logged-in users can access it, you create a restricted area of the site. This is typically a folder under the application root. To limit access to the restricted folder, you create a Web.config file in the restricted folder and add an <authorization> section to it. The following example shows the contents of a Web.config file that restricts access to only authenticated users.
<authorization> <deny users="?"/> <allow users="*"/> </authorization>
The following example shows an ASP.NET Web page that authenticates the user by using client script. The example requires that you have configured the server as described earlier in this topic. The name of the restricted folder is assumed to be Secured.
The page contains an <asp:ScriptManager> element. When this element is included on the page, the AuthenticationService object is automatically available to any client script on the page.
The page has a button with an associated event handler named OnClickLogin. Code in the method handler calls the login method of the AuthenticationService class.
After you are logged in, the button text changes and the text at the top of the page changes to indicate your logged-in status. Click the link at the bottom of the page to move to a page located in the Secured folder. Because you are now logged in, you can access pages in this folder without being redirected to the login page.
On the sample page, you can click a button to log out. This calls the OnClickLogout button event handler, which calls the logout method. After you have logged out, the text at the top of the page changes. If you try to access the page in the secured folder, you will be redirected to the login page, because your browser no longer has a forms authentication cookie.
The example code provides asynchronous completed callback functions for the login and logout methods. You can also create failure callback functions for both methods. For more information, see the example provided in the AuthenticationService class overview.