Is this really all I need to log a user in?

I was looking over some ASP.NET开发者_开发技巧 MVC 1 code (C#) in search of the mechanisms that the site was using to log in a user. This is what I found...

FormsAuthentication.SetAuthCookie(authenticatedUser.UserName, false);

followed by a redirect. Is it REALLY that simple?

I couldn't find any other code after the redirect that would be responsible for this.

FormsAuthentication.SetAuthCookie creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, or to the URL if you are using cookieless authentication.

This will "log in a user" but you need to actually make sure the user exists somehow. You can use the built in membership providers which will by default target a SQL Express database in your App_Data folder called ASPNETDB.mdf.

If the default membership provider does not work for you then you can create a custom membership provider by inheriting from the base MembershipProvider class. If you don't want to do this then you can roll your own solution and still issue an authentication ticket, but at the very least you need to do something to actually make sure a user is who he says he is.