Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Basics and ASP.NET Support

Published byEdwina Burke Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Basics and ASP.NET Support"— Presentation transcript:

1 Security Basics and ASP.NET Support
Shane Johnson CS526 – S2008 University of Colorado at Colorado Springs Dr. Edward Chow

2 ASP.NET is a web application framework developed by Microsoft
One of the centerpieces of the Microsoft .NET Framework The successor to Microsoft Active Server Pages (ASP) Can author applications in any .NET compatible language, including Visual Basic .NET, C#, and JScript .NET. Used by sites like: Motivation: Explorer my interests in dynamic web-based content, and get familiar with ASP.NET as a potential server-side solution Overview

3 Security Operations in ASP.NET
Authentication Authorization User Accounts Roles Security Operations in ASP.NET: Authentication : is the process of ascertaining the client’s identity. A client who has been successfully identified is said to be authenticated. An unidentified client is said to be unauthenticated or anonymous. Authorization : is the process of determining whether a particular user has the authority to access a specific resource or functionality. User Account: is a store for persisting information about a particular user. Role: is simply a label that is applied to a user and provides an abstraction for defining authorization rules and page-level functionality. Security Operations in ASP.NET

4 Forms-Based Authentication
Common method of verifying the users identity is by prompting them to enter their credentials through a web form When a user attempts to access an unauthorized resource, they are automatically redirected to the login page where they can enter their credentials. The submitted credentials are then validated against a custom user store – (usually a database) Forms-Based Authentication

5 Figure 1: The Forms Authentication Workflow
Unidentified User Requests Protected Page from server Server redirects unidentified user to login page The submitted credentials are then validated against a custom user store - usually a database A forms authentication ticket is created for the user (stored in a cookie) User is granted access to Protected Page Subsequent visits to the website include the forms authentication ticket in the HTTP request

6 Example Work First I created a sample web site
Web.config file First I created a sample web site After creating a sample site, I added a Web.config file and changed the authentication configuration from the default “Windows” to “Forms”. <configuration> <system.web> <!– The <authentication> section enables configuration of the security authentication mode used by ASP.NET to identify an incoming user. --> <authentication mode="Forms" /> </system.web> </configuration> Example Work

7 Example Work cont. Login Page
Page Language="C#" MasterPageFile="~/Site.master" AutoEventWireup="true" CodeFile="Login.aspx.cs" Inherits="Login" %> <asp:Content ID="Content1" ContentPlaceHolderID="MainContent" runat="Server"> <h1> Login</h1> <p> Username: <asp:TextBox ID="UserName" runat="server"></asp:TextBox></p> Password: <asp:TextBox ID="Password" runat="server" TextMode="Password"></asp:TextBox></p> <asp:CheckBox ID="RememberMe" runat="server" Text="Remember Me" /> </p> <asp:Button ID="LoginButton" runat="server" Text="Login" OnClick="LoginButton_Click" /> <asp:Label ID="InvalidCredentialsMessage" runat="server" ForeColor="Red" Text="Your username or password is invalid. Please try again." Visible="False"></asp:Label> </asp:Content> Example Work cont.

8 Example Work cont. Event Handler for the login button
protected void LoginButton_Click(object sender, EventArgs e) { // Three valid username/password pairs: Scott/password, Jisun/password, and Sam/password. string[] users = { "Scott", "Jisun", "Sam" }; string[] passwords = { "password", "password", "password" }; for (int i = 0; i < users.Length; i++) bool validUsername = (string.Compare(UserName.Text, users[i], true) == 0); bool validPassword = (string.Compare(Password.Text, passwords[i], false) == 0); if (validUsername && validPassword) FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked); } // If we reach here, the user's credentials were invalid InvalidCredentialsMessage.Visible = true; Assuming that the supplied credentials are valid, we need to create a forms authentication ticket, thereby logging in the user to the site. The FormsAuthentication class in the System.Web.Security namespace provides assorted methods for logging in and logging out users via the forms authentication system. While there are several methods in the FormsAuthentication class, the three we are interested in at this juncture are: GetAuthCookie(username, persistCookie) – creates a forms authentication ticket for the supplied name username. Next, this method creates and returns an HttpCookie object that holds the contents of the authentication ticket. If persistCookie is true, a persistent cookie is created. SetAuthCookie(username, persistCookie) – calls the GetAuthCookie(username, persistCookie) method to generate the forms authentication cookie. This method then adds the cookie returned by GetAuthCookie to the Cookies collection (assuming cookies-based forms authentication is being used; otherwise, this method calls an internal class that handles the cookieless ticket logic). RedirectFromLoginPage(username, persistCookie) – this method calls SetAuthCookie(username, persistCookie), and then redirects the user to the appropriate page. Example Work cont.

9 Detecting Authenticated Visitors and Determining Their Identity
protected void Page_Load(object sender, EventArgs e) { if (Request.IsAuthenticated) WelcomeBackMessage.Text = "Welcome back!"; AuthenticatedMessagePanel.Visible = true; AnonymousMessagePanel.Visible = false; } else AuthenticatedMessagePanel.Visible = false; AnonymousMessagePanel.Visible = true; We can determine the name of the current visitor using the following code: string currentUsersName = User.Identity.Name; Assuming that the supplied credentials are valid, we need to create a forms authentication ticket, thereby logging in the user to the site. The FormsAuthentication class in the System.Web.Security namespace provides assorted methods for logging in and logging out users via the forms authentication system. While there are several methods in the FormsAuthentication class, the three we are interested in at this juncture are: GetAuthCookie(username, persistCookie) – creates a forms authentication ticket for the supplied name username. Next, this method creates and returns an HttpCookie object that holds the contents of the authentication ticket. If persistCookie is true, a persistent cookie is created. SetAuthCookie(username, persistCookie) – calls the GetAuthCookie(username, persistCookie) method to generate the forms authentication cookie. This method then adds the cookie returned by GetAuthCookie to the Cookies collection (assuming cookies-based forms authentication is being used; otherwise, this method calls an internal class that handles the cookieless ticket logic). RedirectFromLoginPage(username, persistCookie) – this method calls SetAuthCookie(username, persistCookie), and then redirects the user to the appropriate page. Example Work cont.

10 Success! Authentication Ticket Verified
Example Work cont.

11 Future Work Experiment with Role-Based Authorization
Create a custom interface to mange users accounts. Future Work

12 You can find a comprehensive tutorial on Security and ASP.NET at:
Want to learn more?

13 References http://support.microsoft.com/kb/305140
us/library/4w3ex9c2(vs.71).aspx authentication/default.asp /webapps/aspnetwebapplicationsecurity.a spx References

Download ppt "Security Basics and ASP.NET Support"

Similar presentations

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Tutorial: Introduction to ASP.NET Internet Technologies and Web Application 4 th February 2010.

Tutorial: Introduction to ASP.NET Internet Technologies and Web Application 4 th February 2010.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Beginning Web Site Development Module 1 – Dynamic Web Site Development Fundamentals of building dynamic Web sites with ASP.NET 2.0 and C# Version.

Beginning Web Site Development Module 1 – Dynamic Web Site Development Fundamentals of building dynamic Web sites with ASP.NET 2.0 and C# Version.

Similar presentations

Ads by Google