When configuring ASP.NET authentication, what is the behaviour supposed to be when you set the authentication mode to Windows, yet have a child forms element? For example, the following configuration is given as the default in MSDN:
<authentication mode="Windows">
<forms
name=".ASPXAUTH"
loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
<passport redirectUrl="internal" />
</authentication>
However I see zero documentation of what is meant to happen here. All documentation of the child forms element assumes that authentication mode will be Forms. It's particularly odd that this isn't documented because this is the default. So why does the Windows authentication mode have a forms child element? Does the child element get ignored and it's just there as an example of what you might want if you were to switch mode to Forms, or does it do something more?
I think it is just for the sake of an example. I cannot point you to any documentation but looking at the code, it looks like the forms settings are read only when the authentication mode is forms.
Below is from FormsAuthenticationModule.cs
public void Init(HttpApplication app) { // authentication is an app level setting only // so we can read app config early on in an attempt to try and // skip wiring up event delegates if (!_fAuthChecked) { _fAuthRequired = (AuthenticationConfig.Mode == AuthenticationMode.Forms); _fAuthChecked = true; } if (_fAuthRequired) { // initialize if mode is forms auth FormsAuthentication.Initialize(); app.AuthenticateRequest += new EventHandler(this.OnEnter); app.EndRequest += new EventHandler(this.OnLeave); } }Please note that FormsAuthentication.Initialize is called only when the mode is forms, which reads the forms setting from web.config file.
The code is from FormsAuthenciation.cs file
/// /// Initializes FormsAuthentication by reading /// configuration and getting the cookie values and encryption keys for the given /// application. /// public static void Initialize() { if (_Initialized) return; lock(_lockObject) { if (_Initialized) return; AuthenticationSection settings = RuntimeConfig.GetAppConfig().Authentication; settings.ValidateAuthenticationMode(); _FormsName = settings.Forms.Name; _RequireSSL = settings.Forms.RequireSSL; _SlidingExpiration = settings.Forms.SlidingExpiration; if (_FormsName == null) _FormsName = CONFIG_DEFAULT_COOKIE; _Protection = settings.Forms.Protection; _Timeout = (int) settings.Forms.Timeout.TotalMinutes; _FormsCookiePath = settings.Forms.Path; _LoginUrl = settings.Forms.LoginUrl; if (_LoginUrl == null) _LoginUrl = "login.aspx"; _DefaultUrl = settings.Forms.DefaultUrl; if (_DefaultUrl == null) _DefaultUrl = "default.aspx"; _CookieMode = settings.Forms.Cookieless; _CookieDomain = settings.Forms.Domain; _EnableCrossAppRedirects = settings.Forms.EnableCrossAppRedirects; _TicketCompatibilityMode = settings.Forms.TicketCompatibilityMode; _Initialized = true; } }