Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Similar presentations


Presentation on theme: "ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application."— Presentation transcript:

1 ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application

2 Objectives ASP.NET 2.0, Third Edition2

3 Building Information Management Security Policies Security needs to be at the forefront when designing a web application – The internet is widely accessible and there is always going to be people attempting to get secured information – Challenges to security include the constant changes in operating systems and software Privacy and security are tied together – Breaches in web security are linked to consumer distrust – It’s important to have a company-wide policy about the privacy of their customer’s information ASP.NET 2.0, Third Edition3

4 Security Policies Hackers use multiple methods to get private data, including cross- site scripting Companies should have their privacy and security policies on their web site with a third party providing security checks Consider the Windows Security Model – Web application and web server security protects access to web resources, and Windows security protects access to file system resources Web applications that integrate other applications, such as a database, will have additional layers of security ASP.NET 2.0, Third Edition4

5 Privacy Policies A privacy policy is often used to inform the user about the type of information being collected and about what is being done with that information – The privacy policy is shown on the web page or as a pop-up to the user before accessing the site Platform for Privacy Preferences (P3P) standards provide a way for browsers to obtain the privacy policy for any particular web site ASP.NET 2.0, Third Edition5

6 Passing Valid Data from a Web Form Form fields pass data that is received as a string When data is received in the intended format, it is called valid data Valid data or the lack thereof can become important because this data is often inserted into databases, used by other applications, or misused by hackers to gain access to you web server Validation controls are used to validate the format of the data Regular Expressions are used to validate custom data formats ASP.NET 2.0, Third Edition6

7 Understanding Validation Controls ASP.NET 2.0, Third Edition7

8 Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition8

9 Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition9

10 Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition10

11 Building Regular Expressions ASP.NET 2.0, Third Edition11

12 Building Regular Expressions (continued) ASP.NET 2.0, Third Edition12

13 Validating Form Data with Validation Controls ASP.NET 2.0, Third Edition13

14 5/19/08 Start ASP.NET 2.0, Third Edition14

15 Maintaining State ASP.NET 2.0, Third Edition15 Web developers need to be able to identify the user with each subsequent page visited Keeping track of information about users as they are visiting a site is called maintain state There are three methods to maintain state –Client-side cookies –HTTP cookies –Without HTTP cookies

16 Maintaining State with Client-Side Cookies ASP.NET 2.0, Third Edition16

17 Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition17

18 Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition18

19 Other Ways Hidden fields URL Encoding CBS19

20 Storing Session Data Companies use web servers networked together to create a web farm – In a web farm, load balancing servers will redistribute the clients based on the workload of the servers Some companies expand their web sites across multiple computer processing units (CPUs), within a single physical server called a web garden User information is retrieved by HTTP headers using the ServerVariables collection and some are retrieved from the properties of the Session object ASP.NET 2.0, Third Edition20

21 Storing and Retrieving Session Data ASP.NET 2.0, Third Edition21

22 Storing Session Data ASP.NET 2.0, Third Edition22

23 Storing Session Data (continued) ASP.NET 2.0, Third Edition23

24 Storing Session Data (continued) ASP.NET 2.0, Third Edition24

25 Application Configuration A web application is a group of files and folders (including virtual folders) located under the web application’s root directory You can maintain information across the entire web application with the Application object, which stores the application variables in the server’s memory The web server can be configured by using the property pages within the Microsoft Management Console (MMC) application, in the ASP.Net web configuration files, or in the Web Site Administration Tool (WSAT) ASP.NET 2.0, Third Edition25

26 Viewing and Understanding the Web Server Property Sheets ASP.NET 2.0, Third Edition26

27 Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition27

28 Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition28

29 Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition29

30 Understanding Application Configuration Files ASP.NET 2.0, Third Edition30

31 Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition31

32 Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition32

33 Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition33

34 Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition34

35 Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition35

36 Membership Services Two main principles of security are authentication and authorization – Authentication is the process of validating the identity of the request – Authorization is the process of ensuring that you can only access the resources made available to you by the system administrators The Windows NTFS file system allows you to set permissions on individual files and folders using an access control list (ACL) ASP.NET 2.0, Third Edition36

37 Implementing Authorization ASP.NET 2.0, Third Edition37

38 Authenticating Users with Forms Authentication Forms authentication is a cookie-based authentication method Every packet of information over the web is sent with a host header, which contains information about the sender and the request ASP.net determines if a FormsAuthentication cookie is present in the header packet – If the cookie is not present, the user is redirected to the login page ASP.NET 2.0, Third Edition38

39 Implementing Authentication The authentication method is configured in the authentication element in the web configuration file. The mode attribute is assigned to one of the authentication methods: – None (no authentication required) – Anonymous authentication – Basic authentication – Windows authentication ASP.NET 2.0, Third Edition39

40 Using Web Controls to Maintain Security There are several built-in Web controls that can be used to maintain security within your web application, which include: – Login Control – Password Recovery Control – Login Status Control ASP.NET 2.0, Third Edition40

41 Summary Validation controls are a form of ASP.NET controls that allow you to assign validation rules to other controls. You can build custom validation rules to validate your form fields, or use one of the standard Validation controls with a custom Regular Expression. A cookie can be used to maintain information across multiple sessions for a specific user. A cookie is a text file that is stored on the client’s computer. Your web sites should educate and inform users about the use of cookies, and about how the cookie affects their computer system. A cookie is passed in the HTTP header with the other HTTP server variables. The SessionID property is assigned by the server, and provides a way to identify the client during the user session. Sessions require the user to support HTTP cookies. ASP.NET 2.0, Third Edition41

42 Summary (continued) You can store session data within the web server process, the State Server, or a SQL Server database. State Server is a Windows service that must be turned on before session data can be stored in the State Server. If the web server crashes, any session data within the State Server or SQL Server persists. A web application is a group of files and folders. The IIS web server software configures the web application using the MMC with the WSAT, or you can configure it via the web application configuration files. The web.config file configures the web application. The machine.config file maintains information that is used across.NET applications. Authentication is the process of validating the identity of the request. Authorization is the process of validating the user access privileges to the resources. You can configure forms authentication in the web.config file. ASP.NET 2.0, Third Edition42

43 Summary (continued) Authorization within an ASP.NET application is conducted via the web.config file, WSAT, or via the Windows NTFS permissions. You can configure web applications to support various types of authentication. Anonymous authentication means that the user does not have to log in with a special account. The Internet Guest Account represents the client. Basic authentication sends the login data as clear text. Windows authentication allows the user to log in without sending his or her login over the Internet. Forms authentication is a new technique in ASP.NET to protect the web application. ASP.NET 2.0, Third Edition43


Download ppt "ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application."

Similar presentations


Ads by Google