Web Site Security ISYS 512/812
Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows: Authentication is handled between the Windows server and IIS. –Forms: –Passport
Forms Authentication Use username and password to authenticate user. –Usernames and passwords can be stored in an XML file, database table, or Web.Config file. Once the Forms authentication is enabled, pages in the directory cannot be accessed unless the user has the proper authentication. Without authentication, user is redirected to a login page.
Enabling Forms Authentication Set the authentication mode for the application by modifying the authentication section in the application root web.config file. Deny access to anonymous users by modifying the authentication section in the web.config file. –Note: Every directory can use a web.config file to control “deny” or “allow” access. Create a login page that enables users to enter their usernames and passwords.
Web.Config File Example
FormsAuthentication Class Must import system.web.security namespace. Method: –RedirectFromLoginPage(String, boolean) Redirect user back to the page that sent the user to the login page, and write a cookie named ASPAUTH containing an Authentication Ticket.
LogIn Example Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select password from users where userID='" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) objConn.Open() If TextBox2.Text = objComm.ExecuteScalar Then FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, True) Else Response.Write("Access denied") End If End Sub
Database Security Database Security: Protection of the data against accidental or intentional loss, destruction, or misuse Increased difficulty due to Internet access and client/server technologies
Threats to Data Security Accidental losses attributable to: –People Users: using another person’s means of access, viewing unauthorized data, introduction of viruses Programmers/Operators Database administrator: Inadequate security policy –Software failure DBMS: security mechanism, privilege Application software: program alteration –Hardware failure Theft and fraud Improper data access: –Loss of privacy (personal data) –Loss of confidentiality (corporate data) Loss of data integrity Loss of availability (through, e.g. sabotage)
Figure 12-3 Possible locations of data security threats
Countermeasures to Threats Authorization –Authentication Access controls: privileges Database views BackUp and Recovery Enforcing integrity rules Encryption –Symmetric encryption:use same key for encryption and decryption –Asymmetric encryption: Public key: for encryption Private key: decryption RAID
Authorization Rules Controls incorporated in the data management system Restrict: –access to data –actions that people can take on data Authorization matrix for: –Subjects –Objects –Actions –Constraints
Figure 12-5 Authorization matrix
SQL Injection Exploits applications that use external input for database commands. In the textbox, enter: ‘ OR 1=1 OR CID = ‘
Demo Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub