ASP.NET Forms Authentication in version 2.0
How has Forms Authentication changed from ASP.NET 1.1 to ASP.NET 2.0?
ASP.NET application security has benefited from features in Forms Authentication for version 2.0. In short, ready-made UI components and data management implementations have made it a lot simpler to add mature authentication and authorization
capabilities to your Web applications.
ASP.NET 2.0 adds a number of components with ready-made implementations of functionality that had to be built by hand in the ASP.NET 1.1 version. Examples of these include login forms, user creation wizards and password recovery logic. By providing these capabilities out of the box, it is faster to get secure Web applications up and running, and the use of the security-tested ASP.NET framework controls is typically going to be preferable over hand-coding new implementations for each new application.
Previously, applications using Forms Authentication had to create and maintain their own data store for users and their roles. These were typically stored in a couple of tables in a database such as Microsoft SQL Server. In ASP.NET 2.0, implementations are provided to handle these ubiquitous tasks for both Microsoft Access as well as Microsoft SQL Server. The specifics of accessing these data stores are hidden behind interfaces employing the Provider design pattern, so while most applications will be satisfied with the SQL or Access versions, it is straightforward to create new implementations if the user and role data are stored in another data store such as an LDAP directory or XML files.
By using these new controls and ready-made data storage implementations, it is a lot faster to get Forms Authentication-based applications up and running. This is a benefit to both developer productivity as well as application security.
This was first published in March 2006