CRV2 FrameworkSpecIssuesASPNetAuth

=.NET AUTHENTICATION CONTROLS == In the .NET, there are Authentication tags in the configuration file. The element configures the authentication mode that your applications use.

The appropriate authentication mode depends on how your application or Web service has been designed. The default Machine.config setting applies a secure Windows authentication default as shown below.

authentication Attributes:mode="[Windows|Forms|Passport|None]"



Forms Authentication Guidelines
. To use Forms authentication, set mode=“Forms” on the element. Next, configure Forms authentication using the child element. The following fragment shows a secure authentication element configuration:

  Sliding session lifetime

Use the following recommendations to improve Forms authentication security:
 * Partition your Web site.
 * Set protection=“All”.
 * Use small cookie time-out values.
 * Consider using a fixed expiration period.
 * Use SSL with Forms authentication.
 * If you do not use SSL, set slidingExpiration = “false”.
 * Do not use the element on production servers.
 * Configure the  element.
 * Use unique cookie names and paths.