Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Slides:



Advertisements
Similar presentations
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
ASP.NET and ADO.NET. ASP.NET Server Controls Intrinsic Controls: These controls correspond to their HTML counterparts. –Ex. Textbox, listbox, button,
VB.NET Database Tools ISYS Net Applications OLE DB Provider OLE DB Data Source OLE DB Provider ODBC Data Source SQL Server Data Source SQL Server.Net.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
ASP.Net AJAX. AJAX Asynchronous JavaScript and XML: – JavaScript, Document Object Model, Cascade Style Sheet, XML, server-side script such as.Net, etc.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Coding ADO.NET Objects: Connection, Command, DataReader.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
Working with Session and Application Objects. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
VB.NET Database Tools ISYS 573. Microsoft Universal Data Access ODBC: Open Database Connectivity –A driver manager –Used for relational databases OLE.
Introduction to Web Application Development with.Net and Web Service ISYS 350.
ASP.NET and ADO.NET. Bind the DataReader to a DataGrid Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\sales2k.mdb" Dim objConn.
Coding ADO.NET Objects: Connection, Command, DataReader.
Working with Session. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and lose their values.
E-Commerce. Internet It is a network that follows the TCP/IP protocol. –Transmission Control Protocol – handles communications between applications. A.
Introduction to ADO.Net, VB.Net Database Tools and Data Binding ISYS 512.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Introduction to Web Service ISYS 512. Web Service XML Web Service Web services are classes that are stored on the web which can instantiate and use in.
ASP and HTML. Anchor Tag testAnchorTag Demo: ASPNet/ASPNETProdListSelf.ASPX.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Session 11: Security with ASP.NET

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Copyright 2000 eMation SECURITY - Controlling Data Access with
1.NET Web Forms Security Issues © 2002 by Jerry Post.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
1 CS 3870/CS 5870: Note 11 Authentication and Authorization Membership Provider.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
1 CS 3870/CS 5870: Note 07 Lab 3 Lab 4 Test 1: Two Tables.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Module 7: Creating a Microsoft ASP.NET Web Application.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
ASP.Net and HTML. Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load dim strConn as string ="Provider=Microsoft.Jet.OLEDB.4.0;Data.
What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
1 CS 3870/CS 5870: Note 12 Authentication and Authorization Membership Provider.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
1 CS 3870/CS 5870: Note 14. Prog5 Due 10 PM Wednesday, Oct 21 Authentication and Authorization 2.
Working with ASP.NET Controls What is ASP.NET Using server controls in your pages Allowing users to create their own accounts Creating a login page Letting.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Coding ADO.NET Objects: Connection, Command, DataReader
Security In your webSite.
Unit 7 Learning Objectives
Authentication and Authorisation in ASP.Net
Security Basics and ASP.NET Support
Jim Fawcett CSE686 – Internet Programming Summer 2005
Security mechanisms and vulnerabilities in .NET
ASP.NET and ADO.NET.
Created by : Asst. Prof. Ashish Shah
Coding ADO.NET Objects: Connection, Command, DataReader
Database Handling Class and Service
ASP.NET and ADO.NET.
Command Object’s ExecuteNonQuery Method
Security - Forms Authentication
Presentation transcript:

Authenticating Users in an ASP.NET Application

Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration Tool. –Select Authentication type: Windows authentication Forms authentication –Manage users –Manage roles –Manage access rules

Authentication via Windows Authentication Select this option if users will access your web site only from a private local network. The site will use built-in Microsoft Windows authentication to identify users. Users with a valid Windows user name and password will be able to access your site. –Intranet

Forms Authentication Select this option if users will access your web site from the public internet. Forms authentication identifies the user by prompting them to enter their credentials through a web form. When a user attempts to access an unauthorized resource, they are automatically redirected to the login page where they can enter their credentials. The submitted credentials are then validated against a custom user store - usually a database.

Access Rules Allow or deny access to a particular directory by user name or role. Use Web Site Administration Tool to create and manage access rules and it will create an authorization section with Allow or Deny elements in the web.config file for that directory. The permissions established for a directory also apply to its subdirectories, unless configuration files in a subdirectory override them. Users: –ALL: Including authenticated and anonymous users. –Anonymous: Unauthenticated users.

User Accounts and Roles Managing user accounts and roles we can define authorization rules for accessing a particular ASP.NET page or directory for a particular user or role.

How to Create Users and Roles Must start SQLExpress service. –By default, ASP.Net saves users and roles data in a SQL Server Express file that is stored in App_Data folder. file: App_Data\ASPNETDB.MDF From VS 2008, click Website/ASP.Net Configuration to open the Web Site Administration Tool. –Click Security Create User Create Role Create Access Rules

Forms Authentication Ticket After verifying the submitted credentials, a forms authentication ticket is created for the user. This ticket indicates that the user has been authenticated and includes identifying information, such as the username. The forms authentication ticket is (typically) stored as a cookie on the client computer. Therefore, subsequent visits to the website include the forms authentication ticket in the HTTP request, thereby enabling the web application to identify the user once they have logged in.

FormsAuthentication Class System.Web.Security.FormsAuthentication –Manages forms-authentication services for Web applications. Methods: –RedirectFromLoginPage(string userName, bool createPersistentCookie) Redirects an authenticated user back to the originally requested URL or the default URL, and write a cookie named ASPAUTH containing an Authentication Ticket. –RedirectToLoginPage() Redirects the browser to the login URL.

Membership Class System.Web.Security.Membership ASP.NET membership class gives you a built-in way to validate and store user credentials. –Including users created by Website Administration Tool and CreateUserWizard. Method: – ValidateUser(string username, string password)

Example A website with a public area, such as the home page, a restricted area for members only, and an area for website’s administrator only. – The restricted area will be a subfolder of the website’s root directory. Users: –Administrator –Members: Members data are stored in a regular database. Example: Sales database’s Users table with UserID, Password and fields. –Anonymous users

Step 1: Create user and role Step 2: Create access rules: –Public area (root directory): Allow All –Membership only area: Rule 1: Allow All Rule 2: Deny Anonymous –Administrator only area: Rule 1: Deny All Rule 2: Allow administrator Step 3: Create Login.Aspx page –Password textbox: TextMode property: password

Code Example: One Login Page to Handle Two Types of Authentication Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL, Address As String Address = TextBox1.Text strSQL = "select * from users where UserID= '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() If objDataReader.Read() Then If TextBox2.Text = objDataReader("password") Then FormsAuthentication.RedirectFromLoginPage(objDataReader("UserID"), createPersistentCookie:=False) End If If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) = True Then FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, createPersistentCookie:=False) End If

ASP.NET Login Controls The ASP.NET login controls provide a login solution for ASP.NET Web applications without requiring programming. –By default, these controls use SQLExpress database to manage users. Login control LoginView control: –display different information to anonymous and logged- in users. PasswordRecovery control CreateUserWizard ChangePassword control

SQL Injection "SQL Injection" is an unverified/unsanitized user input vulnerability, and the idea is to convince the application to run SQL code that was not intended. Exploits applications that use external input for database commands.

SQL Injection Demo On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data. 1. Retrieve all records:In the textbox, enter: ‘ OR 1=1 OR CID = ‘ 2. Guess table name or field name: ‘ AND 1=(SELECT COUNT(*) FROM Orders) AND CID=‘ 3. Finding some users: ' or cname like 'S%' or cid=‘ SQLInjectionDemo

Demo Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.