Security Basics and ASP.NET Support

Slides:



Advertisements
Similar presentations
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Tutorial: Introduction to ASP.NET Internet Technologies and Web Application 4 th February 2010.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Session 11: Security with ASP.NET

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Beginning Web Site Development Module 1 – Dynamic Web Site Development Fundamentals of building dynamic Web sites with ASP.NET 2.0 and C# Version.
Tutorial 10 Adding Spry Elements and Database Functionality Dreamweaver CS3 Tutorial 101.
1.NET Web Forms Security Issues © 2002 by Jerry Post.
© 2003 By Default! A Free sample background from Slide 1 Week 2  Free PHP Hosting Setup  PHP Backend  Backend Security 
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
ASP.NET.. ASP.NET Environment ASP.NET is Microsoft's programming framework that enables the development of Web applications and services. It is an easy.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Tracing 1www.tech.findforinfo.com. Contents Why Tracing Why Tracing Tracing in ASP.NET Tracing in ASP.NET Page Level tracing Page Level tracing Application.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:
PROG Advanced Web Applications With.NET PROG Advanced Web Applications With.NET User Authentication & Authorization.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Module 7: Creating a Microsoft ASP.NET Web Application.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Module 4: Creating a Web Application with Web Forms
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
ASP.NET Essentials State management, authentication, and Web Services Daniele Pagano Arizona State University.
Windows Azure SQL Reporting for App developers
Validation & Rich Controls
Computing with C# and the .NET Framework
Security In your webSite.
Unit 7 Learning Objectives
Agenda Introduction Security flow for a request Authentication
Authentication and Authorisation in ASP.Net
ASP .NET MVC Authorization Training Videos
ITEC 420 Framework Based Internet Applications
Session Variables and Post Back
Chapter 8 User Controls.
Jim Fawcett CSE686 – Internet Programming Summer 2005
Security mechanisms and vulnerabilities in .NET
Multifarious Systems 1 Visual studio 2008 & ASP.NET.
Created by : Asst. Prof. Ashish Shah
Module 10: Creating a Web Application with Web Forms
ASP.NET Module Subtitle.
Static and Dynamic Web Pages
Web Technology Unit -3.
ASP.NET.
Role Management in .net Vinay Dhareshwar.
PROFILE.
Security - Forms Authentication
ITEC 420 Framework Based Internet Applications
Validation & Rich Controls
Presentation transcript:

Security Basics and ASP.NET Support Shane Johnson CS526 – S2008 University of Colorado at Colorado Springs Dr. Edward Chow

ASP.NET is a web application framework developed by Microsoft One of the centerpieces of the Microsoft .NET Framework The successor to Microsoft Active Server Pages (ASP) Can author applications in any .NET compatible language, including Visual Basic .NET, C#, and JScript .NET. Used by sites like: www.monster.com www.dell.com www.myspace.com www.match.com www.newegg.com Motivation: Explorer my interests in dynamic web-based content, and get familiar with ASP.NET as a potential server-side solution Overview

Security Operations in ASP.NET Authentication Authorization User Accounts Roles Security Operations in ASP.NET: Authentication : is the process of ascertaining the client’s identity. A client who has been successfully identified is said to be authenticated. An unidentified client is said to be unauthenticated or anonymous. Authorization : is the process of determining whether a particular user has the authority to access a specific resource or functionality. User Account: is a store for persisting information about a particular user. Role: is simply a label that is applied to a user and provides an abstraction for defining authorization rules and page-level functionality. Security Operations in ASP.NET

Forms-Based Authentication Common method of verifying the users identity is by prompting them to enter their credentials through a web form When a user attempts to access an unauthorized resource, they are automatically redirected to the login page where they can enter their credentials. The submitted credentials are then validated against a custom user store – (usually a database) Forms-Based Authentication

Figure 1: The Forms Authentication Workflow Unidentified User Requests Protected Page from server Server redirects unidentified user to login page The submitted credentials are then validated against a custom user store - usually a database A forms authentication ticket is created for the user (stored in a cookie) User is granted access to Protected Page Subsequent visits to the website include the forms authentication ticket in the HTTP request

Example Work First I created a sample web site Web.config file First I created a sample web site After creating a sample site, I added a Web.config file and changed the authentication configuration from the default “Windows” to “Forms”. <configuration> <system.web> <!– The <authentication> section enables configuration of the security authentication mode used by ASP.NET to identify an incoming user. --> <authentication mode="Forms" /> </system.web> </configuration> Example Work

Example Work cont. Login Page <%@ Page Language="C#" MasterPageFile="~/Site.master" AutoEventWireup="true" CodeFile="Login.aspx.cs" Inherits="Login" %> <asp:Content ID="Content1" ContentPlaceHolderID="MainContent" runat="Server"> <h1> Login</h1> <p> Username: <asp:TextBox ID="UserName" runat="server"></asp:TextBox></p> Password: <asp:TextBox ID="Password" runat="server" TextMode="Password"></asp:TextBox></p> <asp:CheckBox ID="RememberMe" runat="server" Text="Remember Me" /> </p> <asp:Button ID="LoginButton" runat="server" Text="Login" OnClick="LoginButton_Click" /> <asp:Label ID="InvalidCredentialsMessage" runat="server" ForeColor="Red" Text="Your username or password is invalid. Please try again." Visible="False"></asp:Label> </asp:Content> Example Work cont.

Example Work cont. Event Handler for the login button protected void LoginButton_Click(object sender, EventArgs e) { // Three valid username/password pairs: Scott/password, Jisun/password, and Sam/password. string[] users = { "Scott", "Jisun", "Sam" }; string[] passwords = { "password", "password", "password" }; for (int i = 0; i < users.Length; i++) bool validUsername = (string.Compare(UserName.Text, users[i], true) == 0); bool validPassword = (string.Compare(Password.Text, passwords[i], false) == 0); if (validUsername && validPassword) FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked); } // If we reach here, the user's credentials were invalid InvalidCredentialsMessage.Visible = true; Assuming that the supplied credentials are valid, we need to create a forms authentication ticket, thereby logging in the user to the site. The FormsAuthentication class in the System.Web.Security namespace provides assorted methods for logging in and logging out users via the forms authentication system. While there are several methods in the FormsAuthentication class, the three we are interested in at this juncture are: GetAuthCookie(username, persistCookie) – creates a forms authentication ticket for the supplied name username. Next, this method creates and returns an HttpCookie object that holds the contents of the authentication ticket. If persistCookie is true, a persistent cookie is created. SetAuthCookie(username, persistCookie) – calls the GetAuthCookie(username, persistCookie) method to generate the forms authentication cookie. This method then adds the cookie returned by GetAuthCookie to the Cookies collection (assuming cookies-based forms authentication is being used; otherwise, this method calls an internal class that handles the cookieless ticket logic). RedirectFromLoginPage(username, persistCookie) – this method calls SetAuthCookie(username, persistCookie), and then redirects the user to the appropriate page. Example Work cont.

Detecting Authenticated Visitors and Determining Their Identity protected void Page_Load(object sender, EventArgs e) { if (Request.IsAuthenticated) WelcomeBackMessage.Text = "Welcome back!"; AuthenticatedMessagePanel.Visible = true; AnonymousMessagePanel.Visible = false; } else AuthenticatedMessagePanel.Visible = false; AnonymousMessagePanel.Visible = true; We can determine the name of the current visitor using the following code: string currentUsersName = User.Identity.Name; Assuming that the supplied credentials are valid, we need to create a forms authentication ticket, thereby logging in the user to the site. The FormsAuthentication class in the System.Web.Security namespace provides assorted methods for logging in and logging out users via the forms authentication system. While there are several methods in the FormsAuthentication class, the three we are interested in at this juncture are: GetAuthCookie(username, persistCookie) – creates a forms authentication ticket for the supplied name username. Next, this method creates and returns an HttpCookie object that holds the contents of the authentication ticket. If persistCookie is true, a persistent cookie is created. SetAuthCookie(username, persistCookie) – calls the GetAuthCookie(username, persistCookie) method to generate the forms authentication cookie. This method then adds the cookie returned by GetAuthCookie to the Cookies collection (assuming cookies-based forms authentication is being used; otherwise, this method calls an internal class that handles the cookieless ticket logic). RedirectFromLoginPage(username, persistCookie) – this method calls SetAuthCookie(username, persistCookie), and then redirects the user to the appropriate page. Example Work cont.

Success! Authentication Ticket Verified Example Work cont.

Future Work Experiment with Role-Based Authorization Create a custom interface to mange users accounts. Future Work

You can find a comprehensive tutorial on Security and ASP.NET at: http://www.asp.net/learn/security/?lang=cs Want to learn more?

References http://support.microsoft.com/kb/305140 http://msdn.microsoft.com/en- us/library/4w3ex9c2(vs.71).aspx http://www.asp.net/get-started/ http://www.asp101.com/articles/cynthia/ authentication/default.asp http://authors.aspalliance.com/aspxtreme /webapps/aspnetwebapplicationsecurity.a spx References

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.