{"id":1544,"date":"2013-07-03T02:22:00","date_gmt":"2013-07-03T02:22:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/webdev\/2013\/07\/03\/understanding-owin-forms-authentication-in-mvc-5\/"},"modified":"2022-08-09T07:14:30","modified_gmt":"2022-08-09T14:14:30","slug":"understanding-owin-forms-authentication-in-mvc-5","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/understanding-owin-forms-authentication-in-mvc-5\/","title":{"rendered":"Understanding OWIN Forms authentication in MVC 5"},"content":{"rendered":"

Overview<\/h2>\n

The new security feature design for MVC 5 is based on OWIN<\/a> authentication middleware. The benefit for it is that security feature can be shared by other components that can be hosted on OWIN. Since the Katana<\/a> team did a great effort to support the OWIN integrated pipeline in ASP.NET, it can also secure apps hosted on IIS, including ASP.NET MVC, Web API, Web Form.<\/p>\n

Forms authentication uses an application ticket that represents user’s identity and keeps it inside user agent’s cookie. When user first accesses a resource requiring authorization, it will redirect user to login page. After the user provides credentials, your application code will validate the user name and password and build user claims including user’s name, roles, etc. After passing claims to the Forms authentication middleware, it will convert it to an application ticket and serialize, encrypt and encode it into a ticket token. Then, send it out as a cookie. When the next time user sends request with the cookie, the middleware will validate it and convert the ticket token back to claims principal and save it in HttpContext.User, which will shared across ASP.NET pipeline.<\/p>\n

ASP.NET also has a forms authentication support through the FormsAuthenticationModule<\/a>, which, however, can only support applications hosted on ASP.NET and doesn’t have claim support<\/a> . Here is a rough feature comparison list:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
\n

Features<\/strong><\/p>\n<\/td>\n

\n

Asp.Net Forms Authentication <\/strong><\/p>\n<\/td>\n

\n

OWIN Forms Authentication<\/strong><\/p>\n<\/td>\n<\/tr>\n

\n

Cookie Authentication<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Cookieless Authentication<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

No<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Expiration<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Sliding Expiration<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Token Protection<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Claims Support<\/p>\n<\/td>\n

\n

No<\/span><\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Web Farm Support<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n

\n

Unauthorized Redirection<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n

\n

Yes<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

In this blog, you will learn:<\/p>\n

· Creating an MVC project with OWIN Forms authentication enabled.<\/a><\/p>\n

· Understanding OWIN Forms authentication options.<\/a><\/p>\n

· Understanding Application Sign In Cookie flow.<\/a><\/p>\n

· Understanding External Sign In Cookie flow.<\/a><\/p>\n

· Working with new Identity API<\/a><\/p>\n

<\/a>Creating MVC project with OWIN Forms authentication enabled<\/h3>\n

To get started, you need to create new MVC .<\/p>\n

· Make sure you have installed:<\/p>\n