To implement forms-based security, you need to follow three steps:
1. Set the authentication mode to forms authentication in the web.config file. (If
you prefer a graphical tool, you can use the WAT during development or IIS
Manager after deployment.)
2. Restrict anonymous users from a specific page or directory in your application.
3. Create the login page.
You define the type of security in the web.config file by using the tag.
The following example configures the application to use forms authentication by using the
tag. It also sets several of the most important settings using a nested
Namely, it sets the name of the security cookie, the length of time it will be considered valid (in
and the page that allows the user to log in.
To control who can and can’t access your website, you need to add access control rules to the
section of your web.config file. Here’s an example that duplicates the default
The asterisk (*) is a wildcard character that explicitly permits all users to use the application,
those who haven’t been authenticated. But even if you don’t include this line in your
application’s web.config file, this is still the behavior you’ll see, because ASP.NET’s default settings allow all
(Technically, this behavior happens because there’s an