50

I am creating a website using ASP.NET MVC 5. Has Microsoft release any technology to replace FormsAuthentication or do they still recommended authenticating the user using FormsAuthentication for MVC 5?

UPDATE Jan 2020:

It's been almost 5 five years since I asked this question, the web development world has drastically changed. Now I am convinced that FormsAuthentication IS obsolete.

Please consider token based auth when implementing user authentication in ASP.NET based web apps.

sean717
  • 677
  • 1
  • 5
  • 8
  • 3
    Define "OK" and "Obsolete," and explain "Don't like." – Robert Harvey May 20 '15 at 00:26
  • OK means it is still safe to authenticate user using FormsAuthentication with auth cookie? "Obsolete" means is there anything new in ASP.NET MVC 5 to replace the oldie FormsAuthentication? I've editted my question to remove the "don't like" part - originally I wrote I don't like ASP.NET membership, mainly due to its inflexibility, – sean717 May 20 '15 at 05:36
  • 28
    Why is this question closed!? The OP is asking if FormsAuthentication is obsolete in MVC 5 and if there's another technology which replaces it. This is not an opinion-based question like " What do you think of using FormsAuthentication in MVC 5". – Tony_Henrich Aug 31 '15 at 17:09
  • 3
    @Tony_Henrich, yes I don't understand why this is closed. Luckily Rowan provided a useful answer before the closure. Partially based on his answer I still used FormsAuthentication in my MVC5 project. – sean717 Sep 03 '15 at 16:48
  • 3
    I don't understand why this was closed? Isn't this question the _purpose_ of this stack exchange, and not asking this sort of question in stackoverflow? – contactmatt Feb 16 '17 at 06:03
  • 3
    I don't understand why this question was closed? My project is migrating from asp.net 4.0 webforms with form authentication to asp.net 4.5 MVC5 and I'm researching for the best approach with the current code. Please don't allow StackExchange to moderate worse than Wikipedia. – JoshYates1980 Mar 28 '17 at 21:37
  • 4.5 years after I asked this question. I feel if you build website or api using asp.net core or newer version of asp.net mvc. JWT based authentication is a better approach over Forms authentication. – sean717 Oct 04 '19 at 16:57

1 Answers1

53

Yes. FormsAuthentication is deprecated in MVC 5 and onwards.

At least, that's the short answer.

The long answer is that pre-MVC 5 traditional FormsAuthentication is still ok to use. It is, however being phased out in favour of alternative approaches such as ASP.NET Identity.

In Visual Studio 2013, the authentication options supplied for and MVC 5 application are as follows:

VS2013 authentication options

In this case, Individual User Accounts is referring to ASP.NET Identity.

According to Microsoft, the former ASP.NET Membership has been replaced with ASP.NET Identity,

[ ... ] the sample application will be configured to use ASP.NET Identity (formerly known as ASP.NET membership)

(Emphasis mine)

Microsoft also state

The new membership system is based on OWIN rather than the ASP.NET Forms Authentication module.

So Identity didn't exactly replace FormsAuthentication, but rather it replaced the Membership system which used FormsAuthentication. A good thing too, because according to a question I asked in 2013, Membership is rather confusing.

A type of FormsAuthentication still exists though. According to Microsoft,

ASP.NET also has a forms authentication support through the FormsAuthenticationModule, which, however, can only support applications hosted on ASP.NET and doesn't have claim support. Here is a rough feature comparison list: Feature comparison

So if you'd still like to use FormsAuthentication, check out Understanding OWIN Forms authentication in MVC 5.

So Microsoft encourages you to use ASP.NET Identity. You don't have to, of course. You can simply select No Authentication and the project will not implement anything for you. It is then up to you to fulfil your membership/login needs.

Glorfindel
  • 3,137
  • 6
  • 25
  • 33
Rowan Freeman
  • 3,478
  • 4
  • 30
  • 41
  • 7
    Neither the OP nor this answer mentions custom form authentication. In my apps, I don't want and do not use the built in membership controls and SQL Server tables but instead authenticate a user using my code and user table. Then once authenticated, I use FormsAuthentication to create and set up the auth cookie. I don't use ASP.NET Identity but I hope it supports this scenario too. – Tony_Henrich Aug 31 '15 at 17:06
  • @Tony_Henrich, " authenticate a user using my code and user table. Then once authenticated, I use FormsAuthentication to create and set up the auth cookie" That's exactly what I end up doing. I really dont like ASP.NET membership controls and its SQL Server tables. For the "ASP.NET membership" system I know it is definitely deprecated and should be stop being used (since many years ago actually) – sean717 Sep 03 '15 at 16:51
  • A good open source project that uses MVC5 and custom form authentication: https://github.com/YodasMyDad/mvcforum – JoshYates1980 Mar 28 '17 at 21:43