Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:"— Presentation transcript:

1 Web Site Security ISYS 512/812

2 Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows: Authentication is handled between the Windows server and IIS. –Forms: –Passport

3 Forms Authentication Use username and password to authenticate user. –Usernames and passwords can be stored in an XML file, database table, or Web.Config file. Once the Forms authentication is enabled, pages in the directory cannot be accessed unless the user has the proper authentication. Without authentication, user is redirected to a login page.

4 Enabling Forms Authentication Set the authentication mode for the application by modifying the authentication section in the application root web.config file. Deny access to anonymous users by modifying the authentication section in the web.config file. –Note: Every directory can use a web.config file to control “deny” or “allow” access. Create a login page that enables users to enter their usernames and passwords.

5 Web.Config File Example

6 FormsAuthentication Class Must import system.web.security namespace. Method: –RedirectFromLoginPage(String, boolean) Redirect user back to the page that sent the user to the login page, and write a cookie named ASPAUTH containing an Authentication Ticket.

7 LogIn Example Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select password from users where userID='" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) objConn.Open() If TextBox2.Text = objComm.ExecuteScalar Then FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, True) Else Response.Write("Access denied") End If End Sub

8 Database Security Database Security: Protection of the data against accidental or intentional loss, destruction, or misuse Increased difficulty due to Internet access and client/server technologies

9 Threats to Data Security Accidental losses attributable to: –People Users: using another person’s means of access, viewing unauthorized data, introduction of viruses Programmers/Operators Database administrator: Inadequate security policy –Software failure DBMS: security mechanism, privilege Application software: program alteration –Hardware failure Theft and fraud Improper data access: –Loss of privacy (personal data) –Loss of confidentiality (corporate data) Loss of data integrity Loss of availability (through, e.g. sabotage)

10 Figure 12-3 Possible locations of data security threats

11 Countermeasures to Threats Authorization –Authentication Access controls: privileges Database views BackUp and Recovery Enforcing integrity rules Encryption –Symmetric encryption:use same key for encryption and decryption –Asymmetric encryption: Public key: for encryption Private key: decryption RAID

12 Authorization Rules Controls incorporated in the data management system  Restrict: –access to data –actions that people can take on data  Authorization matrix for: –Subjects –Objects –Actions –Constraints

13 Figure 12-5 Authorization matrix

14 SQL Injection Exploits applications that use external input for database commands. In the textbox, enter: ‘ OR 1=1 OR CID = ‘

15 Demo Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub

Download ppt "Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:"

Similar presentations

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.

Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
VB.NET Database Tools ISYS 573. .Net Applications OLE DB Provider OLE DB Data Source OLE DB Provider ODBC Data Source SQL Server Data Source SQL Server.Net.

VB.NET Database Tools ISYS Net Applications OLE DB Provider OLE DB Data Source OLE DB Provider ODBC Data Source SQL Server Data Source SQL Server.Net.
Coding ADO.NET Objects: Connection, Command, DataReader.

Coding ADO.NET Objects: Connection, Command, DataReader.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
ASP.Net AJAX. AJAX Asynchronous JavaScript and XML: – JavaScript, Document Object Model, Cascade Style Sheet, XML, server-side script such as.Net, etc.

ASP.Net AJAX. AJAX Asynchronous JavaScript and XML: – JavaScript, Document Object Model, Cascade Style Sheet, XML, server-side script such as.Net, etc.
Coding ADO.NET Objects: Connection, Command, DataReader.

Coding ADO.NET Objects: Connection, Command, DataReader.
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.

1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.
Working with Session and Application Objects. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and.

Working with Session and Application Objects. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
VB.NET Database Tools ISYS 573. Microsoft Universal Data Access ODBC: Open Database Connectivity –A driver manager –Used for relational databases OLE.

VB.NET Database Tools ISYS 573. Microsoft Universal Data Access ODBC: Open Database Connectivity –A driver manager –Used for relational databases OLE.
Introduction to Web Application Development with.Net and Web Service ISYS 350.

Introduction to Web Application Development with.Net and Web Service ISYS 350.
ASP.NET and ADO.NET. Bind the DataReader to a DataGrid Dim strConn As String = Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\sales2k.mdb Dim objConn.

ASP.NET and ADO.NET. Bind the DataReader to a DataGrid Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\sales2k.mdb" Dim objConn.
Coding ADO.NET Objects: Connection, Command, DataReader.

Coding ADO.NET Objects: Connection, Command, DataReader.
Working with Session. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and lose their values.

Working with Session. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and lose their values.

Similar presentations

Ads by Google