Security FAQ's

ASP.NET Authentication and Authorization - Interview Questions 

Q: What is web security?


  • Protecting the web pages from unauthorized users is called as web security.
  • In ASP.Net we can implement websecurity by making use of predefined security module as a part of runtime module.
  • All the classes related to the security are defined in "System.Web.Security"(namespace)

Q: What  are the concepts in security issues?

Ans: While dealing with security issues we need to deal with the following 3 concepts

  1. Impersonation: It is the process of assuming the user account for the unknown user.
  2. Authentication: It is the process of identifying the user in some manner.
  3. Authorization: It is the process of verifying whether the perticular user is allowed to access required resources or not.

Q: What is the authentication modes available in ASP.NET?

Ans: ASP.NET supports three authentication modes 

  1. Windows Authentication
  2. Passport authentication
  3. Forms authentication

Q: What is the Windows Authentication?

Ans: The windows authentication authenticates users based on their windows accounts.

  • It uses windows network security.
  • It uses Accounts information available in Active directory of Windows Server to perform authentication. 

Q: What is the Passport authentication?

Ans: The Passport authentication uses Microsoft's passport service to authenticate users. 

  • The new user is directed to the Microsoft site where he can register his identity. 
  • This facilitates user to access multiple sites using single user name and password. 
  • You need to install the Passport SDK to enable the Passport authentication. 

Q: What is the Form authentication?

Ans: The Form authentication collects user's credentials and lets the application use own logic to authenticate users. 

  • The collected user's credential is validated using the users list maintained by the application. 
  • The application maintains its own user list either using <credential> element in the web.config file or using database. 
  • The advantage of using form authentication is that the users don't need to be the member of windows network to have access to the application.  

Q: What is the advantage of using Forms Authentication?

Ans: The advantage of using Forms authentication is that users do not have to be member of a domain-based network to have access to your application.

  • It is usefull for internet based applications
  • There will be greater flexibility to design login page according to requirements by programmer

Q: Explain how Forms authentication works?

Ans: When someone accesses a Web application that uses Forms authentication,Login page will be sent to user.

  • User credentials will be collected 
  • Once user is Authenticated then ASP.NET will create authenticated  cookie
  • Then authorization details will be verified.
  • If user is authenticated and authorized then request will be processed and rendered webpage will be sent to user along with response authentication cookie also will be sent

Q: How do you set authentication mode in the ASP.NET application?

Ans: You can set authentication mode using <authentication> element in web.config file.

<authentication mode="windows">
<authentication mode="passport">
<authentication mode="forms">

Q: What are disadvantages of Windows Authentication?

Ans: It is more suitable for the Intranet websites. Developer can not customize the login dialog box.

Q: List out the difference between Windows Authentication and Forms Authentication.


  • The difference between Windows authentication and Forms authentication is that in Forms authentication your application performs all the authentication and authorization tasks. You must create Web forms and write code to collect user names and passwords and to check those items against a list of authorized users.
  • Where as in Windows Authenticaton most of process has been automated

Q: What is the difference between login controls and Forms Authentication?


  • Forms authentication can be easily implemented using login controls without writing any code. 
  • Login control performs functions like prompting for user credentials, validating them and issuing  authentication just as the FormsAuthentication class. 
  • The FormsAuthentication class is used in the background for the authentication ticket and ASP.NET membership API is used to validate the user credentials. 

Q: How do you impersonate the authenticated user in ASP.NET?  


  • Impersonation means delegating one user identity to another user. In ASP.NET, the anonymous users impersonate the ASPNET user account by default. You can use <identity> element of web.config file to impersonate user.
  • E.g. <identity impersonate="true"/> 

Q: What is impersonation in ASP.NET?


  • Impersonation is when a user accesses a resource without revealing his identity. 
  • The two types of accounts that are set up using IIS make the task of being identifiable very difficult. These are IUSR_machinename and IWAM_machinename and they get added on a web server automatically. When IIS receives a request for a web page or other resource that has permission for anonymous access, IIS treats the IUSR_machinename/ IWAM_machinename account (depending upon the type of the resource) as the user's account, to access the resources. This obviates the need to authenticate a user.   

Q: How do you provide secured communication in ASP.NET?  

Ans: ASP.NET provides secured communication using Secure Sockets Layer(SSL). The application to use SSL need to have an encryption key called a server certificate configured in IIS. When a user requests a secured page, the server generates an encryption key for the user’s session. The encrypted response is then sent along with encryption key generated. In the client side, the response is then decrypted using same encryption key.  

Q: What is the use of mode attribute in authentication element in a web.config file?

Ans: To specify the type of authentication. 

Q: What is the use of name attribute and loginUrl attribute of a forms element in a web.config file?


  • Name attribute of forms element is used to set the name of the cookie in which to store the user’s credential. The default is .authaspx. If more than one application on the server is using Forms authentication, you need to specify a unique cookie name for each application.
  • loginUrl attribute of forms element is used to set the name of the Webform to display if the user has not already been authenticated. If omitted, the default is Default.aspx.

Q: What is protection attribute in a forms element used for in web.config file?

Ans: The protection attribute of a forms element of web.config file is used for setting how ASP.NET protects the authentication cookie stored on the user’s machine. The default is All, which performs encryption and data validation. Other possible settings are Encryption, Validation, and None.

Q: What is timeout attribute in a forms element used for in web.config file?


  • Timeout attribute is used to set the number of minutes the authentication cookie persists on the user’s machine.
  • The default is 30, indicating 30 minutes. 
  • ASP.NET renews the cookie automatically if it receives a request from the user and more than half of the allotted time has expired.

Q: In which namespace the Forms Authentication class is present?

Ans: System.Web.Security namespace

Q: Which method checks the user name and password against the user list found in the credentials element of web.config?

Ans: The FormsAuthentication class’s Authenticate() checks the user name and password against the user list found in the <credentials> element of Web.config.if user is valid then it will return true

Q: Which method can be used to remove forms authentication cookie?

Ans: Use the signout() of FormsAuthentication class to sign out when the user has finished with the application or when you want to remove the authentication cookie from his or her machine. 
Ex: FormsAuthentication.SignOut();

Q: What is the advantage of Authenticating Users with a Database?

Ans: You can authenticate users based on a list in Web.config. The FormsAuthentication class’s Authenticate method is set up to read from web.config file automatically. That’s fine if user names and passwords are created and maintained by a system administrator, but if you allow users to create their own user names or change their passwords, you’ll need to store that information outside the Web.config file. This is because changing Web.config at run time causes the Web application to restart, which resets any Application state and Session state variables used by the application.

Q: What are the advantages of storing user names and passwords in a database rather than a file?

Ans: You can store user names and passwords in any type of file; however, using a database has the following significant advantages:

  1. User names can be used as primary keys to store other information about the user.
  2. Databases can provide high performance for accessing user names and passwords.
  3. Adding, modifying, and accessing records are standardized through SQL.

Q: Can you encrypt user names and passwords stored in a file or a database?

Ans: Yes, you encrypt user names and passwords stored in a file or a database. You can encrypt them using the FormsAuthentication class’s HashPasswordForStoringInConfigFile(). This method uses the SHA1 or MD5 algorithms to encrypt data, as shown below:

pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(Password, "SHA1");

Q: How can you control access to subfolders in a web application?

Ans: The authorization settings in the Web.config file apply hierarchically within the folder structure of a Web application. For instance, you might want to allow all users access to the root folder of a Web application but restrict access to Web forms (and tasks) available from a subfolder. To do this, set the authentication type in the root folder’s Web.config file, and then use the authorization element in the subfolder’s Web.config file to restrict access.

Q: What is the difference between URL and URI?

Ans: A URL (Uniform Resource Locator) is the address of some resource on the Web. A resource is nothing but a page of a site. There are other type of resources than Web pages, but that's the easiest conceptually.  

  • A URI is a unique identifier to usually a namespace. 
  • Though it looks like a URL but it doesn’t have to necessarily locate any resource on the web. 
  • URI is a generic term. URL is a type of URI. 

Q: Where the way to do the Authentication and Authorization?

Ans: In ASP.NET there are three way to do Authentication and Authorization.

Windows Authentication:

In this methadology ASP.NET web pages will use local windows users and groups to authenticate and authorize resources.

<authentication mode="Windows"> 
  <forms name="AuthenticationDemo" loginUrl="logon.aspx" protection="All" path="/" timeout="30" />

Deny access to the anonymous user in the Aauthorization section as follows:

  <deny users ="?" /> 

Forms Authentication:

This is a cookie based authentication where user name and password stored on client machine as cookie files or they are sent to URL for every request.Form-based authentication presents the users with an HTML-based web page that prompts the user for credentials.In case browser doesnot support cookies then username and password passed via URL string for every request.

<authentication mode="Forms">
  <forms name=" AuthenticationDemo" loginUrl="logon.aspx" protection="All" path="/" timeout="30" /> 
<credential passwordFormat=”SHA1>
  <username="admin" password="admin">

Deny access to the anonymous user in the Aauthorization section as follows:

  <deny users ="?" />

Passport Authentication:

Passport authentication is based on passport website provided by the microsoft.So when user logins with credentials it will be reached to the passport website(i.e. hotmail,devhood,windows live etc)where authentication will happen.If authentication is successful it will return a token to your website.

<authentication mode = "Passport" />