Forms Authentication Ticket In Asp.Net 2.0 3.5

In this article i am explaining how to implement FormsAuthenticationTicket And Managing UserData Roles In Asp.Net 2.0,3.5,4.0 using C# And VB.NET

For implementing forms authentication without using formsauthentication ticket, read my previous article - Forms Authentication with C# and managing folder lavel access with multiple web.config files

Configuring web.config file in application root

<authentication mode="Forms">
<forms defaultUrl="Default.aspx" loginUrl="~/Login.aspx"
slidingExpiration="true" timeout="20"></forms>

Defining roles and accessibility in root web.config

<location path="Admin">
<allow roles="admin"/>
<deny users="*"/>



Defining roles settings for folders and aspx within those folders in web.config file in those folders

<allow roles="user"/>
<deny users="*"/>

settings for any logged in member

<deny users="?"/>

Now after creating Login page we need to authenticate user

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
string userName = Login1.UserName;
string password = Login1.Password;
bool rememberUserName = Login1.RememberMeSet;

//Fetch User login information fromthe xml file into Dataset

string xmlFilePath = Server.MapPath("~/App_Data/LoginInfo.xml");
DataSet objDs = new DataSet();
DataRow[] dRow = objDs.Tables[0].Select("UserName = '" + userName + "' and Password = '" + password + "'");
if (dRow.Length > 0)
//Fetch the role
string roles = dRow[0]["Roles"].ToString();

//Create Form Authentication ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(20), rememberUserName, roles, FormsAuthentication.FormsCookiePath);

// In the above parameters 1 is ticket version, username is the username associated with this ticket
//time when ticket was issued , time when ticket will expire, remember username is user has chekced it
//roles associted with the user, and path of cookie if any

//For security reasons we may hash the cookies
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);

// add the cookie to user browser


// get the requested page

string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null)
returnUrl = "~/Default.aspx";

Now to retrieve the authentication and roles information on every request we need to write this code in Global.asax file

protected void Application_AuthenticateRequest(object sender, EventArgs e)
// look if any security information exists for this request

if (HttpContext.Current.User != null)

// see if this user is authenticated, any authenticated cookie (ticket) exists for this user

if (HttpContext.Current.User.Identity.IsAuthenticated)

// see if the authentication is done using FormsAuthentication

if (HttpContext.Current.User.Identity is FormsIdentity)

// Get the roles stored for this request from the ticket

// get the identity of the user

FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;

//Get the form authentication ticket of the user

FormsAuthenticationTicket ticket = identity.Ticket;

//Get the roles stored as UserData into ticket

string[] roles = ticket.UserData.Split(',');

//Create general prrincipal and assign it to current request

HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);

To check whether user in in the role or not we need to write this code in every page which provide access on role basis

protected void Page_Load(object sender, EventArgs e)
if (HttpContext.Current.User.IsInRole("admin"))
lblMessage.Text = "Welcome Administrator";

Download sample code

Related Articles :

1. Forms Authentication with C# and managing
folder lavel access with multiple web.config files

2. User validation across pages using session
after login in ASP.NET using C sharp

3. Detecting Session Timeout
and Redirect to Login Page in ASP.NET
If you like this post than join us or share


redware said...

Thanks - is there are place for FormsAuthentication.GetAuthCookie() here ?

Avinash said...

Hi, thanks for this post... very intresting...however I am not able to download the code... can you please mail the code...?

my email id
thank you

amiT jaiN said...

@Avinash :

Hi, you can download the source code from the lin below

Do let me know if you are having further problems

Ashwani said...

Hi,thanks for the post..but unable to download the code as it says ,has been removed from the provide some other link to download the code..
thank you

amiT jaiN said...


Hi, i've fixed the download link


PAtRoN (c) 1991 said...

i can't link

prabhu said...

i used some other codes for role based authendication.. all r worked fine but if the user or admin click the signout works fine signouted but click the browser back button all the admin page visibled... how to rectify that..

Anonymous said...

This comment has been removed by a blog administrator.

Anonymous said...

Please upload the project again

Anonymous said...

Please upload the project again

Anonymous said...

This post has been removed by a blog administrator.
Please upload the project again

varsha said...

Hi i am not able to download this code.

Anonymous said...

left side add is very disturbing while reading your article fuck off....

Trekon Technologies said...

plz send me code on

Gourav said...

please send me code on

Aryan said...

where is the source code?

Anonymous said...

I think there are some errors in explaination and coding please submit the project again

Anonymous said...


Please Explain briefly

Find More Articles