Authenticating users visiting an Internet-based website is usually accomplished in one of two ways:
- Using Forms authentication - here a user is prompted for their credentials through a standard web page form
- Using HTTP authentication - RFC 2617 defines two standard HTTP protocol-level authentication schemes - Basic authentication and Digest authentication. When a browser interfaces with a site using this form of authentication, it displays that familiar modal dialog box prompting you for your credentials (see this image).
Many websites use Forms authentication, as it provides more control over the user experience and many platforms (such as ASP.NET) include tools for adding Forms authentication support. (In fact, with ASP.NET 2.0, you can build a complete user account-based website using Membership and Forms authentication without having to write a line of code; see Examining ASP.NET 2.0's Membership, Roles, and Profile for more information.)
However, Forms authentication is not a standard; while it's easy for a human to provide their credentials through Forms authentication, it's much more difficult for a computer program since the HTML inputs for the credentials can differ from site to site. With the standard HTTP protocol-level authentication schemes, however, the workflow for authentication is much more mechanical and can easily be supported by a computer program. In fact, tools like wget, Microsoft's Background Intelligent Transfer Service (BITS), and many RSS readers support built-in HTTP authentication.
Traditionally, Forms authentication is handled at the ASP.NET level, while the HTTP authentication schemes are configured from the web server level. This means that Forms authentication can easily be configured to authenticate users against a credential store located in some XML file, a database table... whatever. With HTTP authentication, the user credential store consulted for authentication is typically the Windows User Store.
Consider the case of a blog or forum site, where we have certain resources that we want to protect. For example, imagine that at a forum site there is a forum that is “private,“ meaning that only a set of users can view the forum's posts. It's easy to establish authorization rules in Web.config and use Forms authentication to identify users. However, imagine that our forum website offers RSS feeds of the forum's most recent posts. How do we share the RSS feeds for the private forums? RSS readers can't authenticate via Forms authentication.
One option, which is what is used by CommunityServer, is to use a unique RSS subscription URL per user. The only issue here is that if that particular URL is leaked somehow, anyone can consume the private forum feeds. Rob Howard and I discuss this feature in CommunityServer in this forum post: Enable RSS on non-public forums. Another option is to support both HTTP and Forms authentication and have it so that they both use the same credential store (such as that database table or XML file or what have you...)
Back in April 2006, Atif Aziz and I published an article on MSDN Online on how to build an ASP.NET web application that can do just this. In particular, the article examines MADAM, a collection of HTTP Modules for handling this sort of functionality. With MADAM you can define in Web.config what conditions would require the authentication scheme to switch from Forms authentication to HTTP authentication. For example, you might instruct MADAM that whenever anyone was attempting to access a particular resource, to switch to HTTP authentication. The MADAM HTTP Modules then detect when such a condition unfolds and intercept the HTTP response to include the necessary headers for the specified HTTP authentication scheme. Similarly, when the user agent responds with the user's credentials, the MADAM HTTP Modules work to validate the credentials against the configured credential store.
If you've ever needed to meld Forms authentication and HTTP authentication in a single web application using a single credential store, check out MADAM. You can learn more about it and download the complete source code at Supporting HTTP Authentication and Forms Authentication in a Single ASP.NET Web Site.