The entire authentication and authorization model in ASP.NET 2.0 is quite improved from the previous version. The addition of the new Login Controls and the whole Membership and Roles Management through provider model has really made the entire security architecture easy to use yet extremely customizable.
Last night I was looking for a way to Log-In user automatically (without his password) thorugh my code, actually the scenario is that the user actually logs in from another site and is redirected to my site with the username in the request. Now I have the username, no password and how do I log this user in (or create an authentication token for him). A post from Scott Guthrie came to the rescue. An authentication token for any user even if you do not have him password can be set with
FormsAuthentication.SetAuthCookie(LoggedInUserName, False)
Where LoggedInUserName is the username for which you want to set the authentication token. Now ok I can authenticate the user and log him in but the authorization of my website is set to deny the anonymous user so the user cannot even access the Default.aspx where I actually write the above code for creating a token.
<system.web>
<authorization>
<deny users=”?” />
</authorization>
</system.web>
There is a simple workaround to this also as you can specify different authorization for any particular path/location in your website. So the following will allow access to the default page to anonymous users but restrict rest of the site of the logged in user.
<location path=”default.aspx”>
<system.web>
<authorization>
<allow users =”*” />
</authorization>
</system.web>
</location>
Some good resources about ASP.NET 2.0 Authentication and Authorization and Security on the whole are as follows.
Scott Guthrie Post about ASP.NET 2.0 Security Resources
How To: Protect Forms Authentication in ASP.NET
