Sunday, 13 May 2012

ASP.NET Security

The security in ASP.NET framework is done in two steps:
  • Authentication 
  • Authorization

So in this article we will discuss about both of the above mentioned steps.


  • The new feature  of ASP.NET form Authentication  which uses the membership feature uses the user credentials for this purpose.   
  • This feature of membership control supports :  SqlMembershipProvide and  ActiveDirectoryMembershipProvider
  • also ASP.NET also provides the built in support Login controls that enables you to create a login and user registration form without writing any code. 
  • Modes of authentication

  1. Window based
  2. Form based
  3. windows Password

  • Method of authentication : Authenticating the user is handled by the code written in the web.config file of your application.
  • Syntax :
For window based authentication:
<authentication mode="Forms">

For Form based authentication:

<authentication mode="Forms">
  • Protecting form authentication:This is done by securing the user credentials and authentication ticket. This can be done encrypting the cookies.
User credentials can be secured by using Strong passwords to protect against the brute force attack of password guessing.

And also by using hash values of the password for storage.This one basically slows down the process attacks. 

Protecting the authentication tickets provides shield against attacks such as:

  1. spoofing and impersonation, 
  2. session hijacking,
  3. elevation of privilege.
  • using strong password:  Use attributes such as
  1. Minimum length of password
  2. use alphanumeric characters                   
  • Avoid using persistent cookies on client computers.
  • SQLServer authentication:                                          Syntax:SqlConnection conn = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDBFileName=|DataDirectory|\\Database.mdf;Integrated Security=true;user instance=true;");
  • Using single user authentication across multiple applications: Generally this is need in enterprises so save the time of the employees from authenticating themselves again and again for using different applications .
This is done by means of sharing the authentication tickets across various application. Since we are sharing a single authentication key we need to the authentication ticket to be decrypt by every application sharing it to authenticate the user.So we manually provide the validationKey and decryptionKey values and these values are stored inside the <machineKey> element inside the web.config file.

To manually generate these values for the validationKey and decryptionKey we can use algorithms like RNGCryptoServiceProvider  to generate a cryptographically strong random number.

<machineKey validationKey="Hsbfb636576sahfj\mfhhshnj234235"  
           validation="SHA1" decryption="Auto" />


  • The new feature  of ASP.NET framework is user authorization which support the  Role Manager, which is used to manage the user roles in  role store database.
  • This Role manager in tur supports the following :
  •   WindowsTokenRoleProvider for Windows groups
  •   SqlRoleProvider for role stores in the SQL Server databases
  •  AuthorizationStoreRoleProvider for roles in Active Directory Application Mode (ADAM) and XML data stores.
In order to use the Role manage we have to enable. And this is done in our application's Web.config file.
  • Syntax :
 <roleManager enabled="true" />
  • Types of authorizations:
  1. URL authorization: It restricts access to specific files and folders within our application's Uniform Resource Identifier (URI) namespace.
  2. File authorization:Used with Window based form authentication .
  3. Role authorization:  can be used declaratively or programmatically.
  •  Protecting the authorization cookie while using role caching :To protect the authorization cookie you need to encrypt and integrity check it, use SSL to protect the cookie over the wire, and do not persist the cookie on the client. When using role caching securing the roles cookie is of prime importance. This is to stop users modifying the list of roles to which they belong, and to stop intruders from gaining information about the roles used by your application.
  • Role Caching : We can even cache the Roles in cookies this is done in this manner:
       <roleManager enabled="true" 
       cacheRolesInCookie="true" .../>
  • Role authorization :                                                                                                                                                                                                                                                                        <system.web><roleManager enabled="true" /></system.web>

1 comment:

  1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.
    or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.