This page is likely outdated (last edited on 25 Jun 2008). Visit the new documentation for updated content.

Config system.web authentication

The <authentication> directive appears inside the <system.web> section of Web.config and has the following format:

<authentication mode="[None|Forms]">
    <forms name="cookiename"
        <credentials passwordFormat="[Clear|SHA1|MD5]">
            <user name="user1" password="password1"/>
            <user name="user2" password="password2"/>
       <!-- Although passport is allowed in the config file, it is
       not supported in Mono and will be ignored -->

Mono only supports the “None” and “Forms” authentication modes. “Forms” is the authentication used by ASP.NET forms. “None” means that no authentication is necessary. The unsupported options are “Windows” and “Passport”.

If you choose “Forms”, you can customize the authentication by introducing the <forms> element into your configuration.

Table of contents

Forms Authentication


This defines the cookie name to be used for the authentication for this application.

You should specify this cookie on a per-application basis since cookies are shared across multiple applications on a host/domain.

Default value: “.MONOAUTH”


This is the path that will be set on the cookie used for authentication.

Default value: “/”


This is used to specify the name of the login page that will perform the authentication when access to a page is restricted.

Default value: “login.aspx”


“Validation” stores the value in the cookie along with a validation key that will be used by the server to verify that the cookie value has not been modified. “Encryption” will encrypt the value of the cookie using DES or 3DES. “All” will do both, “Validation” and “Encryption”. This is the default option and the recommended one. “None” will do no transformation to the cookie value.

Default value: “All”


The timeout for the cookie to expire expressed in minutes.

Default value: “30”


Set to true when the cookie is to be sent through SSL connections only.

Default value: “false”


When set to ‘true’, the cookie expiration time is updated is extended from the last request using the cookie until ‘timeout’ more minutes.

Default value: “true”