The security in ASP.NET framework is done in two steps:
So in this article we will discuss about both of the above mentioned steps.
- Authentication
- Authorization
So in this article we will discuss about both of the above mentioned steps.
AUTHENTICATION:
- The new feature of ASP.NET form Authentication which uses the membership feature uses the user credentials for this purpose.
- This feature of membership control supports : SqlMembershipProvide and ActiveDirectoryMembershipProvider
- also ASP.NET also provides the built in support Login controls that enables you to create a login and user registration form without writing any code.
- Modes of authentication
- Window based
- Form based
- windows Password
- Method of authentication : Authenticating the user is handled by the code written in the web.config file of your application.
- Syntax :
For window based authentication:
<authentication mode="Forms">
For Form based authentication:
<authentication mode="Forms">
- Protecting form authentication:This is done by securing the user credentials and authentication ticket. This can be done encrypting the cookies.
User credentials can be secured by using Strong passwords to protect against the brute force attack of password guessing.
And also by using hash values of the password for storage.This one basically slows down the process attacks.
Protecting the authentication tickets provides shield against attacks such as:
- spoofing and impersonation,
- session hijacking,
- elevation of privilege.
- using strong password: Use attributes such as
- Minimum length of password
- use alphanumeric characters
- Avoid using persistent cookies on client computers.
- SQLServer authentication: Syntax:SqlConnection conn = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDBFileName=|DataDirectory|\\Database.mdf;Integrated Security=true;user instance=true;");
- Using single user authentication across multiple applications: Generally this is need in enterprises so save the time of the employees from authenticating themselves again and again for using different applications .
This is done by means of sharing the authentication tickets across various application. Since we are sharing a single authentication key we need to the authentication ticket to be decrypt by every application sharing it to authenticate the user.So we manually provide the validationKey and decryptionKey values and these values are stored inside the <machineKey> element inside the web.config file.
To manually generate these values for the validationKey and decryptionKey we can use algorithms like RNGCryptoServiceProvider to generate a cryptographically
strong random number.
<machineKey validationKey="Hsbfb636576sahfj\mfhhshnj234235"
decryptionKey="shakh7857jkjjco985\fhhegf476343"
validation="SHA1" decryption="Auto" />
AUTHORIZATION:
- The new feature of ASP.NET framework is user authorization which support the Role Manager, which is used to manage the user roles in role store database.
- This Role manager in tur supports the following :
- WindowsTokenRoleProvider for Windows groups
- SqlRoleProvider for role stores in the SQL Server databases
- AuthorizationStoreRoleProvider for roles in Active Directory Application Mode (ADAM) and XML data stores.
In order to use the Role manage we have to enable. And this is done in our application's Web.config file.
- Syntax :
<roleManager enabled="true" />
- Types of authorizations:
- URL authorization: It restricts access to specific files and folders within our application's Uniform Resource Identifier (URI) namespace.
- File authorization:Used with Window based form authentication .
- Role authorization: can be used declaratively or programmatically.
- Protecting the authorization cookie while using role caching :To protect the authorization cookie you need to encrypt and integrity check it, use SSL to protect the cookie over the wire, and do not persist the cookie on the client. When using role caching securing the roles cookie is of prime importance. This is to stop users modifying the list of roles to which they belong, and to stop intruders from gaining information about the roles used by your application.
- Role Caching : We can even cache the Roles in cookies this is done in this manner:
<roleManager enabled="true"
cacheRolesInCookie="true" .../>
- Role authorization : <system.web><roleManager enabled="true" /></system.web>