Download presentation
Presentation is loading. Please wait.
1
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application
2
Objectives ASP.NET 2.0, Third Edition2
3
Building Information Management Security Policies Security needs to be at the forefront when designing a web application – The internet is widely accessible and there is always going to be people attempting to get secured information – Challenges to security include the constant changes in operating systems and software Privacy and security are tied together – Breaches in web security are linked to consumer distrust – It’s important to have a company-wide policy about the privacy of their customer’s information ASP.NET 2.0, Third Edition3
4
Security Policies Hackers use multiple methods to get private data, including cross- site scripting Companies should have their privacy and security policies on their web site with a third party providing security checks Consider the Windows Security Model – Web application and web server security protects access to web resources, and Windows security protects access to file system resources Web applications that integrate other applications, such as a database, will have additional layers of security ASP.NET 2.0, Third Edition4
5
Privacy Policies A privacy policy is often used to inform the user about the type of information being collected and about what is being done with that information – The privacy policy is shown on the web page or as a pop-up to the user before accessing the site Platform for Privacy Preferences (P3P) standards provide a way for browsers to obtain the privacy policy for any particular web site ASP.NET 2.0, Third Edition5
6
Passing Valid Data from a Web Form Form fields pass data that is received as a string When data is received in the intended format, it is called valid data Valid data or the lack thereof can become important because this data is often inserted into databases, used by other applications, or misused by hackers to gain access to you web server Validation controls are used to validate the format of the data Regular Expressions are used to validate custom data formats ASP.NET 2.0, Third Edition6
7
Understanding Validation Controls ASP.NET 2.0, Third Edition7
8
Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition8
9
Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition9
10
Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition10
11
Building Regular Expressions ASP.NET 2.0, Third Edition11
12
Building Regular Expressions (continued) ASP.NET 2.0, Third Edition12
13
Validating Form Data with Validation Controls ASP.NET 2.0, Third Edition13
14
5/19/08 Start ASP.NET 2.0, Third Edition14
15
Maintaining State ASP.NET 2.0, Third Edition15 Web developers need to be able to identify the user with each subsequent page visited Keeping track of information about users as they are visiting a site is called maintain state There are three methods to maintain state –Client-side cookies –HTTP cookies –Without HTTP cookies
16
Maintaining State with Client-Side Cookies ASP.NET 2.0, Third Edition16
17
Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition17
18
Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition18
19
Other Ways Hidden fields URL Encoding CBS19
20
Storing Session Data Companies use web servers networked together to create a web farm – In a web farm, load balancing servers will redistribute the clients based on the workload of the servers Some companies expand their web sites across multiple computer processing units (CPUs), within a single physical server called a web garden User information is retrieved by HTTP headers using the ServerVariables collection and some are retrieved from the properties of the Session object ASP.NET 2.0, Third Edition20
21
Storing and Retrieving Session Data ASP.NET 2.0, Third Edition21
22
Storing Session Data ASP.NET 2.0, Third Edition22
23
Storing Session Data (continued) ASP.NET 2.0, Third Edition23
24
Storing Session Data (continued) ASP.NET 2.0, Third Edition24
25
Application Configuration A web application is a group of files and folders (including virtual folders) located under the web application’s root directory You can maintain information across the entire web application with the Application object, which stores the application variables in the server’s memory The web server can be configured by using the property pages within the Microsoft Management Console (MMC) application, in the ASP.Net web configuration files, or in the Web Site Administration Tool (WSAT) ASP.NET 2.0, Third Edition25
26
Viewing and Understanding the Web Server Property Sheets ASP.NET 2.0, Third Edition26
27
Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition27
28
Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition28
29
Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition29
30
Understanding Application Configuration Files ASP.NET 2.0, Third Edition30
31
Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition31
32
Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition32
33
Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition33
34
Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition34
35
Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition35
36
Membership Services Two main principles of security are authentication and authorization – Authentication is the process of validating the identity of the request – Authorization is the process of ensuring that you can only access the resources made available to you by the system administrators The Windows NTFS file system allows you to set permissions on individual files and folders using an access control list (ACL) ASP.NET 2.0, Third Edition36
37
Implementing Authorization ASP.NET 2.0, Third Edition37
38
Authenticating Users with Forms Authentication Forms authentication is a cookie-based authentication method Every packet of information over the web is sent with a host header, which contains information about the sender and the request ASP.net determines if a FormsAuthentication cookie is present in the header packet – If the cookie is not present, the user is redirected to the login page ASP.NET 2.0, Third Edition38
39
Implementing Authentication The authentication method is configured in the authentication element in the web configuration file. The mode attribute is assigned to one of the authentication methods: – None (no authentication required) – Anonymous authentication – Basic authentication – Windows authentication ASP.NET 2.0, Third Edition39
40
Using Web Controls to Maintain Security There are several built-in Web controls that can be used to maintain security within your web application, which include: – Login Control – Password Recovery Control – Login Status Control ASP.NET 2.0, Third Edition40
41
Summary Validation controls are a form of ASP.NET controls that allow you to assign validation rules to other controls. You can build custom validation rules to validate your form fields, or use one of the standard Validation controls with a custom Regular Expression. A cookie can be used to maintain information across multiple sessions for a specific user. A cookie is a text file that is stored on the client’s computer. Your web sites should educate and inform users about the use of cookies, and about how the cookie affects their computer system. A cookie is passed in the HTTP header with the other HTTP server variables. The SessionID property is assigned by the server, and provides a way to identify the client during the user session. Sessions require the user to support HTTP cookies. ASP.NET 2.0, Third Edition41
42
Summary (continued) You can store session data within the web server process, the State Server, or a SQL Server database. State Server is a Windows service that must be turned on before session data can be stored in the State Server. If the web server crashes, any session data within the State Server or SQL Server persists. A web application is a group of files and folders. The IIS web server software configures the web application using the MMC with the WSAT, or you can configure it via the web application configuration files. The web.config file configures the web application. The machine.config file maintains information that is used across.NET applications. Authentication is the process of validating the identity of the request. Authorization is the process of validating the user access privileges to the resources. You can configure forms authentication in the web.config file. ASP.NET 2.0, Third Edition42
43
Summary (continued) Authorization within an ASP.NET application is conducted via the web.config file, WSAT, or via the Windows NTFS permissions. You can configure web applications to support various types of authentication. Anonymous authentication means that the user does not have to log in with a special account. The Internet Guest Account represents the client. Basic authentication sends the login data as clear text. Windows authentication allows the user to log in without sending his or her login over the Internet. Forms authentication is a new technique in ASP.NET to protect the web application. ASP.NET 2.0, Third Edition43
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.