With custom authentication, your code performs the work that IIS accomplishes automatically: investigating the supplied account information and verifying it with a database lookup. As with IIS, you need to perform this authentication at the beginning of every request or develop a ticket-issuing system, as described in the next section.

Most developers have used some form of custom authentication in their applications. Often, custom authentication just verifies that a user exists in the database and then allows access to the rest of the application. Chapter 18 presents one such example of a security system that can easily be integrated into any distributed application.

A more sophisticated system will use multiple ...