Presentation is loading. Please wait.

Presentation is loading. Please wait.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.

Published byTania Culmer Modified over 10 years ago

Similar presentations

Presentation on theme: "Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user."— Presentation transcript:

1 Website Security ISYS 512

2 Authentication Authentication is the process that determines the identity of a user.

3 Forms Authentication Use username and password to authenticate user. Once the Forms authentication is enabled, pages cannot be accessed unless the user has the proper authentication. Without authentication, user is redirected to a login page. If authenticated, an Authentication Ticket is issued in the form of a cookie and user is redirected back to the requested page.

4 Forms Authentication Ticket After verifying the submitted credentials, a forms authentication ticket is created for the user. This ticket indicates that the user has been authenticated and includes identifying information, such as the username. The forms authentication ticket is stored as a cookie on the client computer. Therefore, subsequent visits to the website include the forms authentication ticket in the HTTP request, thereby enabling the web application to identify the user once they have logged in.

5 Forms Authentication Flow User Authenti cated? Login Page No, redirect to Website Yes Authenti cated? No, redirect to Yes, write Authentication Ticket as cookie Yes

6 Enabling Forms Authentication Set the authentication mode for the application by modifying the authentication section in the application root web.config file: Deny access to anonymous users by modifying the authentication section in the web.config file: Create a login page that enables users to enter their usernames and passwords. If authenticated, an authorization ticket is issued in the form of a cookie.

7 Example of Web.configure File

8 FormsAuthentication Class Import system.web.security namespace. Methods: –RedirectFromLoginPage(String, boolean) Redirect user back to the page that sent the user to the login page, and write a cookie named.ASPXAUTH containing an Authentication Ticket. –SignOut Removes the forms-authentication ticket from the browser. –RedirectToLoginPage() Redirects the browser to the login URL.

9 Login Control Login/Login Properties: –UserName –Password Event: –Login1_Authenticate

10 Must Turn Off UnobtrusiveValidationMode: Not Using jQuery protected void Page_Load(object sender, EventArgs e) { Page.UnobtrusiveValidationMode = System.Web.UI.UnobtrusiveValidationMode.None; }

11 Code Example: User name and password are stored in a database table protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { string strConn = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\CSharpexamples\\SalesDB2011.accdb"; OleDbConnection objConn = new OleDbConnection(strConn); String strSQL = "select * from users where userID='" + Login1.UserName + "'"; OleDbCommand objComm = new OleDbCommand(strSQL, objConn); objConn.Open(); OleDbDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.Read()) { if (Login1.Password == myReader["Password"].ToString()) FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true); else Response.Write("Invalid password, Access denied"); } else Response.Write("User not exist"); objConn.Close(); }

12 SignOut Demo using System.Web.Security; A signOut page with a button to SignOut; Then redirect to the home page and trigger the authentication again. protected void Button1_Click(object sender, EventArgs e) { FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage(); }

13 SQL Injection Demo On a web page that takes customer ID entered in a textbox as input, then displays the customers data. 1. Retrieve all records:In the textbox, enter: OR 1=1 OR CID = 2. Guess table name or field name: AND 1=(SELECT COUNT(*) FROM Orders) AND CID= 3. Finding some users: ' or cname like 'S%' or cid=

14 Demo protected void Button1_Click(object sender, EventArgs e) { string strConn = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\CSharpexamples\\SalesDB2011.accdb"; OleDbConnection objConn = new OleDbConnection(strConn); String strSQL = "select * from customer where cid='" + TextBox1.Text + "'"; OleDbCommand objComm = new OleDbCommand(strSQL, objConn); objConn.Open(); OleDbDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.HasRows) { GridView1.DataSource = myReader; GridView1.DataBind(); } else Response.Write("User not exist"); objConn.Close(); }

15 Validation Controls: May need to turn off JQuery RequiredFieldValidator: –Control to Validate RangeValidator: –MaximumValue, MinimumValue CompareValidator: –Control to Validate, Control to compare –Operator such as equal, less than, etc. RegularExpressionValidator: –ValidationExpression CustomValidator: –ClientValidationFunction;

16 What is Regular Expression? Regular expression is a language designed to manipulate text. Users use its extensive pattern- matching notations to write regular expressions to: –Search text; –Extract, edit, replace, or delete text substrings; –Validate input data: values, formats Examples: –*.doc –Select * From Student Where Sname = C%;

17 Examples of Regular Expressions Allowable values: –San Francisco|Los Angeles|Taipei –A|B|C AlphaNumeric –[a-zA-Z0-9]+ EmpID begins with E followed by 3 digits: –E\d{3} String length: –Exactly 3 characters: ^.{3}$

18 FileUpload Control Properties: –PostedFile: This is a System.Web.HttpPostedFile class FileName: This name contains the path of the posted file. –Contentlength –ContentType Method: –SaveAs – this method save the posted file on server.

19 Save Uploaded File protected void Button1_Click(object sender, EventArgs e) { string FileName; string strFilePath= "C:\\CSharpExamples\\testASP\\testASP\\Images\\"; FileName = FileUpload1.PostedFile.FileName.Substring(FileUpload1.PostedFile.FileName.LastIndexOf ("\\") + 1); strFilePath = strFilePath + FileName; FileUpload1.SaveAs(strFilePath); Response.Write("File: " + FileName + " is saved on server"); }

20 Example of Processing Pictures SalesDB database PictureTale: –Picture file name: Relative reference Absolute reference Creating links to picture files Insert pictures in web page –IMG tag example:

21 This example assumes photos are stored in Images folder protected void Page_Load(object sender, EventArgs e) { Response.Write(" Available Pictures "); string strConn = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\CSharpexamples\\SalesDB2011.accdb"; OleDbConnection objConn = new OleDbConnection(strConn); string strSQL = "select PicID, PicDescription, PicPath from PictureTable;"; OleDbCommand objComm = new OleDbCommand(strSQL, objConn); objConn.Open(); OleDbDataReader objDataReader; objDataReader = objComm.ExecuteReader(); while (objDataReader.Read()) { Response.Write(" "); } objConn.Close(); }

22 Insurance Claim Example Uploading claim pictures for insurance cases. Each case may have many pictures. Database: –CaseTable: CaseID, CaseDate, Agent –CasePics: CaseID, PicPathName Each picture is named: CaseID + PictureName and saved in folder: Images Create a web page with a dropdown list of CaseID, a File Field control to choose file, and a upload button. The uploaded picture will be saved in the Images folder and a record will be entered in CasePics file.

Download ppt "Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user."

Similar presentations

PHP File Upload ISYS 475.

PHP File Upload ISYS 475.
Coding ADO.Net DataSet Objects ISYS 512. DataSet Object A DataSet object can hold several tables and relationships between tables. A DataSet is a set.

Coding ADO.Net DataSet Objects ISYS 512. DataSet Object A DataSet object can hold several tables and relationships between tables. A DataSet is a set.
Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
Presenter: James Huang Date: Sept. 29, 2014 1.  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.

Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys Define.

Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys Define.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
ASP.NET and ADO.NET. ASP.NET Server Controls Intrinsic Controls: These controls correspond to their HTML counterparts. –Ex. Textbox, listbox, button,

ASP.NET and ADO.NET. ASP.NET Server Controls Intrinsic Controls: These controls correspond to their HTML counterparts. –Ex. Textbox, listbox, button,
Coding ADO.NET Objects: Connection, Command, DataReader.

Coding ADO.NET Objects: Connection, Command, DataReader.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
VB.NET Database Tools ISYS 573. Microsoft Universal Data Access ODBC: Open Database Connectivity –A driver manager –Used for relational databases OLE.

VB.NET Database Tools ISYS 573. Microsoft Universal Data Access ODBC: Open Database Connectivity –A driver manager –Used for relational databases OLE.
Coding ADO.NET Objects: Connection, Command, DataReader.

Coding ADO.NET Objects: Connection, Command, DataReader.
Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys: A collection.

Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys: A collection.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
ASP.NET Validating user input Validating user input on the client and/or server side 1ASP.NET Validating User Input.

ASP.NET Validating user input Validating user input on the client and/or server side 1ASP.NET Validating User Input.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
ASP and HTML. Anchor Tag testAnchorTag Demo: ASPNet/ASPNETProdListSelf.ASPX.

ASP and HTML. Anchor Tag testAnchorTag Demo: ASPNet/ASPNETProdListSelf.ASPX.

Similar presentations

Ads by Google