CRV2 FrameworkSpecIssuesASPNetAuth

=.NET Authentication Controls = In the .NET, there are Authentication tags in the configuration file. The element configures the authentication mode that your applications use.

The appropriate authentication mode depends on how your application or Web service has been designed. The default Machine.config setting applies a secure Windows authentication default as shown below.

authentication Attributes:mode="[Windows|Forms|Passport|None]"



Forms Authentication Guidelines
To use Forms authentication, set mode=“Forms” on the element. Next, configure Forms authentication using the child element. The following fragment shows a secure authentication element configuration:

  Sliding session lifetime

Use the following recommendations to improve Forms authentication security:
 * Partition your Web site.
 * Set protection=“All”.
 * Use small cookie time-out values.
 * Consider using a fixed expiration period.
 * Use SSL with Forms authentication.
 * If you do not use SSL, set slidingExpiration = “false”.
 * Do not use the element on production servers.
 * Configure the  element.
 * Use unique cookie names and paths.

classic ASP
For classic ASP pages, authentication is usually performed manually by including the user information in session variables after validation against a DB, so you can look for something like:

Session ("UserId") = UserName Session ("Roles") = UserRoles