Isn't asp.net FormsAuthentication.Authenticate() useless?

Question

Is there any use for FormsAuthentication.Authenticate() is real-world web applications?

Why should we write some usernames in the web.config file when we can write them in databases using asp.net membership?

Answer 1

It is a very fast and easy way to add security to an internal Web application. For example, you may want two or three people to have access, but not your entire organization. Typically you do not want to spend too much effort on an internal Web application anyway. It is so easy to just slap this snippet into the web.config.

<authentication mode="Forms">
    <forms>
        <credentials passwordFormat="Clear">
            <user name="user1" password="pwd1" />
            <user name="user2" password="pwd2" />
        </credentials>
    </forms>
</authentication>

Answer 2

FormsAuthentication.Authenticate() just provides a 'quick and easy' approach when you are happy to put the usernames and passwords into web.config. This may be acceptable for demos/testing or a home/hobbyist site. Naturally, a 'proper' web application would store the user details in a database.

Answer 3

You're making the assumption that your web application will always have a database. That's not necessarily true. In most cases it probably is, but even so you might have a scenario where only one (or a few) user ever needs to be able to login and in that case storing the login credentials in the web.config file might be the best fit.

It guess it comes down to using the right tool for the job.