MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4

Topics covered 2  The concepts of identity, authentication, and authorization  The membership server controls, including the Login control  Storing member profiles so that they can be retrieved  Restricting access to certain areas of a site to allow only specified members  Personalizing a site based on the active user profile

Security Basics 3  Identity—Who Am I?  Your identity, the concept of who you are, is a collection of a wide range of facts.  Authentication—This Is Who I Am  The process of authentication is all about proving you are who you say you are.  Authorization—This Is What I Can Do  This is the process of retrieving more information about the type of user account you have with a site  Logging In to a Site  The process of logging in to a site, from a user’s perspective, is a case of entering a set of credentials, and then being shown a different user interface corresponding to your profile.

ASP.NET Security 4  ASP.NET has some great tools available to help with implementing a login-authentication-authorization framework with minimal effort.

Login Controls 5  The Login control, which provides text boxes, buttons, and built-in validation to enable you to add login functionality to a page with a single drag-and-drop operation.  The LoginView control, which provides a way of altering the appearance of the page dependent on whether a user is logged in or not, or showing different content to different groups of users.  The LoginStatus control, which gives a simple bit of feedback to users so that they know whether they have remembered to log in to the site.

Login Controls 6  The LoginName Control, displays a user's login name if the user has logged in using ASP.NET membership. Alternatively, if your site uses integrated Windows authentication, the control displays the user's Windows account name.  The ChangePassword Control, allows users to change their password. The user must first supply the original password and then create and confirm the new password. If the original password is correct, the user password is changed to the new password. The control also includes support for sending an message about the new password.

Login Controls 7  The CreateUserWizard Control, collects information from potential users. By default, the CreateUserWizard control adds the new user to the ASP.NET membership system. It gathers the following user information:  User name  Password  Confirmation of password  address  Security question  Security answer This information is used to authenticate users and recover user passwords, if necessary.

Login Controls 8  The PasswordRecovery Control, allows user passwords to be retrieved based on the address that was used when the account was created. The PasswordRecovery control sends an message containing a password to the user. You can also configure membership to include a security question that the user must answer to recover a password. If you do, the PasswordRecovery control asks the question and checks the answer before recovering the password.

Membership 9  A far better solution would be to define a set of user roles, and add user accounts to the appropriate roles. When users are members of a role, you can assign permissions based on a role.  For example, consider a typical site configuration scenario: all the members of an Administrators role can access the site, and can access all areas of the site. All members of a Users role can access the site, but cannot access certain restricted areas. All anonymous users will see a cut-down version of the site, but without any personalization, and certainly without any permissions for visiting restricted areas of a site.

Authentication 10  Forms authentication  Windows authentication  Passport authentication  Forms authentication:  Login requests are made by filling in a form on a web page and submitting that form to the server.  When the server receives the request, a cookie is written to the user’s local machine, and this cookie is passed back to the server by the browser along with each request that is sent so that the user remains authenticated for as long as is required.

Authentication 11  Windows authentication:  Login pages pass user credentials to a web server (IIS only, not the web server built into VWD).  The web server then handles the authentication using whichever method is configured on the virtual directory that the application is running within.  IIS hooks in to the Windows operating system and Active Directory domain structures, which means that it can rely on user profiles that are stored externally, and use standard Windows credentials to log in to the site. Depending on the configuration of your site, and depending on which user account you used to log in to your machine, you may not even have to log in to the site directly, because your current Windows credentials can be passed to the web server automatically for authentication.  This is really handy when it comes to developing intranet applications.

Authentication 12  Passport authentication:  Login credentials are passed to a Microsoft Passport server where user profiles are stored centrally. You may be familiar with this from logging in to a Hotmail account.  Passport authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.  Passport benefits users because they do not need to log on to new limited-access resources or sites. If you want your site to be compatible with Passport authentication and authorization, this is the provider you should use.

Forms Authentication Model 13  The user—let’s call him Bob—wants to view Page A, which can’t be accessed by anonymous users, so when Bob tries to view Page A, the browser instead displays a login page, as shown in Figure 4-29.

Forms Authentication Model 14  Bob is now looking at a login page. Because Bob registered with this site previously, he logs in to the site using his username and password combination. Figure 4-30 shows the interaction between Bob’s browser and the server.

Forms Authentication Model 15  Bob can now view Page A and is a happy user. Next, Bob wants to view Page B by following a link from Page A. Along with the request for the page, Bob’s browser sends a copy of the cookie to the server to let the server know that it’s Bob who’s trying to view the page. The server knows who Bob is, and likes Bob, so it sends Bob Page B as requested, as shown in Figure 4-31.

Forms Authentication Model 16  If Bob now requests the site’s home page, the browser will tack on the cookie to the request, so even though the home page is not restricted content, the cookie is still sent to the server. Because the page isn’t restricted, the server doesn’t worry about the cookie, ignores it, and sends back the home page.  Bob then heads back to Page A. Because the cookie is fresh on Bob’s machine, the cookie is sent to the server. The server is still happy with Bob, so it lets Bob view the page.  Bob goes off and makes himself a coffee. He then makes some lunch. By the time he gets back to his computer, 25 minutes have elapsed. Bob now wants to view Page B again, but the cookie on his machine has expired. The server doesn’t receive a cookie along with the page request, so Bob has to log back in again.

Summary 17  Identity: The concept of an individual as described by a set of attributes that make that individual unique.  Authentication: The concept of identifying a user to a server by passing a set of credentials to the server. If the server can identify the user attempting to connect, he or she will be authenticated.  Authorization: The process of taking authenticated user credentials and comparing them against a set of access control list information, providing the answer to the question “can this user access the requested resource?”  Personalization: The capability to provide information that is specific to the currently logged-in user.  Membership: The concept of belonging.

18 Q & A ?