ASP.NET Security Best Practices

  • Forms authentication
  • Windows authentication
  • Passport authentication
  • Forms Authentication This is based on cookies where the user name and the password are stored either in a text file or a database. It supports both session and persistent cookies. After a user is authenticated, the user’s credentials are stored in a cookie for use in that session. When the user has not logged in and requests for a page that is secured, he or she is redirected to the login page of the application. The following code snippet illustrates how this can be implemented in ASP.NET. <configuration> <system.web> <authentication mode=”Forms”/> <forms name=”LoginForm” loginUrl=”LoginForm.aspx” /> <authorization> <deny users=”?”/> </authorization> </system.web> </configuration> Note that the symbol “?” indicates all Non Authenticated and Anonymous users. Typically, the user enters the username and the password, clicks the login button and the form validates the values against values from that stored in a persistent store, usually a database. The following code snippet illustrates how this can be validated. String username = txtUserName.Text; String password = txtPassword.Text; bool isUserValid = false; //Code to validate the user name and password if(isUserValid) { FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False); else // User is not valid lblMessage.Text = “Invalid login…”; } The RedirectFromLoginPage method creates an authentication ticket and is used to redirect an authenticated user back to the originally requested URL or the default URL. The following code snippet illustrates how we can specify the user’s credentials in the application’s web.config file. <configuration> <system.web> <authentication mode=”Forms”> <forms loginUrl=”LoginForm.aspx”> <credentialspasswordFormat=”Clear”> <user name=”JoydipK” password=”JudeK” /> </credentials> </forms> </authentication> <authorization> </system.web> </configuration> However you choose the above technique of authentication you should provide a means of encrypting the configuration file for security reasons. I will discuss these and other issues in the forthcoming articles in this series of articles on ASP.NET Security. You can also use Forms Authentication to verify the user’s credentials using a database where the user’s credentials are stored. The following code example illustrates how this can be achieved. The method ValidateUserCredentials accepts a user name and the password, connects to the database where the user’s credentials is stored and verifies whether the supplied user’s credentials are correct. private bool ValidateUserCredentials(String userName, String password) { // Connect to the database where the user credentials are stored and then verify whether the user’s credentials that // are passed as parameters to this method are correct. The method would return true if success, false otherwise. } The above method can be called as illustrated in the code snippet below. bool isAuthenticatedUser = false; try { isAuthenticatedUser = ValidateUserCredentials(txtUserName.Text,txtPassword.Text); } catch(Exception ex) { //Some typical exception handling code } if (isAuthenticatedUser == true ) { //The user is authenticated, hence, redirect to the appropriate web form and/or display appropriate messages to the user } else { //Display appropriate messages to the user indicating that the user is not authenticated }  

    Leave a comment

    Your email address will not be published.