Use Forms authentication to manage client registration and authentication at the application level, instead of relying on the authentication mechanisms provided by the operating system.


Because Forms authentication sends the user name and password to the server as plain text, you should use Secure Sockets Layer (SSL) encryption for the logon page and for all other pages in your application except the home page.

UI Element List

Element Name Description

Login URL

Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is login.aspx.

Authentication cookie time-out (in minutes)

Specifies the time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the time-out attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed.


Specifies where to store the Forms authentication ticket. The options are:

  • Do not use cookies - Cookies are not used.

  • Use cookies - Cookies are always used, regardless of device.

  • Auto Detect - Cookies are used if the device profile supports cookies. Otherwise, no cookies are used. For desktop browsers that are known to support cookies, ASP.NET checks to determine whether cookies are enabled.

  • Use device profile - Cookies are used if the device profile supports cookies. Otherwise, no cookies are used. ASP.NET does not check to determine whether cookies are enabled on devices that support cookies. This is the default setting.


Sets the name of the Forms authentication cookie. The default is .ASPXAUTH.

Protection mode

Specifies the type of encryption, if any, to use for cookies. The options are:

  • Encryption and validation - Specifies that both data validation and encryption are used to help protect the cookie. This option uses the configured data validation algorithm (based on the <machineKey> element). Triple-DES (3DES) is used for encryption, if available and if the key is long enough (48 bytes or more). Encryption and validation is the default, and recommended, value.

  • None - Specifies that both encryption and validation are disabled for sites that use cookies only for personalization and that have weaker security requirements. Microsoft does not recommend that you use this setting; however, it is the least resource-intensive way to enable personalization using the .NET Framework.

  • Encryption - Specifies that the cookie is encrypted using Triple-DES or DES, but data validation is not performed on the cookie. Cookies used in this manner might be subject to plaintext attacks.

  • Validation - Specifies that a validation scheme verifies that the contents of an encrypted cookie have not been changed in transit. The cookie is created using cookie validation by concatenating a validation key with the cookie data, computing a message authentication code (MAC), and appending the MAC to the outgoing cookie.

Requires SSL

Specifies whether an SSL connection is required to transmit the authentication cookie. By default, this is disabled.

Extend cookie expiration on every request

Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expire upon each request during a single session. By default, this is enabled.

See Also