ASP.NET security
ASP.NET security is easy to understand once one has completed the basics in ASP.NET. All the security features can be handled in the Web.Config file. There are three types of authentication:-1) Forms : For enabling forms based authentication, you need to first go to the IIS virtual directory folder of your web applicatio0n and check the Anonymous Access. Once this is done set the authentication mode to Forms in the following manner in the web.config <authentication mode="forms">(Note:One crucial thing that needs to be mentioned here is that the web.config file data is case
sensitive.)Then the child node needs to added to this in the following manner-<forms loginUrl="" path="" timeout="" protection="">
The loginUrl tells the Web application the location where the user needs to be redirected to in case he/she is not authenticated. Lets consider an example in this case. We have a user x trying to access a page lookup.aspx in your application and if x has not authenticated himself (i.e. entering his user credentials on the login.aspx page to ensure that he is a valid user), he will be redirected to the login.aspx page. Forms authentication uses the concept of cookies to ensure that a user has been authenticated. The path specifies the location where the cookie needs to be stored. The default value is set to "/". The timeout attribute specifies the time for the cookie to expire. The protection attribute is used to set the method from which to protect your cookie data. The following valid values can be supplied:
2) Windows : In case of windows authentication we need to specify the security as integrated
windows authentication in the IIS. Once this is completed the authentication mode should be set to windows in the following manner-<authentication mode="Windows"></authentication>
Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access. ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP .NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. (By default, the ASP.NET engine operates under the ASPNET user account). Impersonation means that you can have the ASP.NET engine operates under the authenticated user's user account.
3) Passport: This can be defined as one of Microsofts ploy to generate more revenue. Like people require passports to travel in and out of different countries, similarly we have the Microsoft passport to travel in and out of different websites. The website must have a passport authentication. In this way Microsoft will authenticate the user and then allow the user to access the webpages in the web site.This passport only allows authentication and not authorization.
sensitive.)Then the child node needs to added to this in the following manner-<forms loginUrl="" path="" timeout="" protection="">
The loginUrl tells the Web application the location where the user needs to be redirected to in case he/she is not authenticated. Lets consider an example in this case. We have a user x trying to access a page lookup.aspx in your application and if x has not authenticated himself (i.e. entering his user credentials on the login.aspx page to ensure that he is a valid user), he will be redirected to the login.aspx page. Forms authentication uses the concept of cookies to ensure that a user has been authenticated. The path specifies the location where the cookie needs to be stored. The default value is set to "/". The timeout attribute specifies the time for the cookie to expire. The protection attribute is used to set the method from which to protect your cookie data. The following valid values can be supplied:
cookie. Triple DES (encryption scheme) is used for encryption. The All value is the default (and suggested) value. |
have weaker requirements for security. Both encryption and validation can be disabled. This is the most efficient performance wise, but must be used with caution. |
using Triple DES or DES, but data validation is not done on the cookie. |
but validate that the cookie data has not been altered in transit. |
2) Windows : In case of windows authentication we need to specify the security as integrated
windows authentication in the IIS. Once this is completed the authentication mode should be set to windows in the following manner-<authentication mode="Windows"></authentication>
Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access. ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP .NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. (By default, the ASP.NET engine operates under the ASPNET user account). Impersonation means that you can have the ASP.NET engine operates under the authenticated user's user account.
3) Passport: This can be defined as one of Microsofts ploy to generate more revenue. Like people require passports to travel in and out of different countries, similarly we have the Microsoft passport to travel in and out of different websites. The website must have a passport authentication. In this way Microsoft will authenticate the user and then allow the user to access the webpages in the web site.This passport only allows authentication and not authorization.
Comments