Difference of ASP and ASP.NET Security Flow
The security flow for ASP.NET page request is different from the classic ASP security flow.
ASP.NET Security Fundamental Operations
Security in the context of ASP.NET application involves 3 fundamental operations
Authentication: the process of validating the identity of a user to allow or deny a request. This involves accepting credentials (e.g. username and password) from the users and validating it against a designated authority. After the identity is verified and validated, the user is considered to be legal and the resource request is fulfilled. Future request from the same user ideally are not subject to the authentication process until the user logs out of the web application.
Authorization: the process of ensuring that users with valid identity are allowed to access specific resources.
Impersonation: this process enables an application to ensure the identity of the user, and in turn make request to the other resources. Access to resources will be granted or denied based on the identity that is being impersonated. In other words, impersonation enables a server process to run using the security credentials of the client [6,9]. Thus, the ASP.NET applications are capable to execute the identity of client on whose behalf they are operating.