[Lesson] Forms Authentication.pptx

7/29/2019 [Lesson] Forms Authentication.pptx

1/20

ASP.NET SECURITYTerminologies, ASP.NET Approaches


2/20

Authentication

Authorization

Role-based security

Security Concepts and

Terminologies


3/20

3

Authentication vs. Authorization

Authentication

Process of identifying the user

User provides credentials

Username/ password

ID card, key, finger print, eye scan,

Commonly done at login

AuthorizationPermissionsWhich resources user is allowed to access

Type of access

Read, write, modify, delete, change permissions

3

3


4/20

Example: Ecommerce

Authentication

Who are you?

Customer

Admin/ Seller

Authentication

What are you allowed to do?

Customer

Browse products, purchase,

Admin

Manage products, view orders,


5/20

ASP.NET Security


6/20

ASP.NET Approaches

Do-it yourself

Windows authentication

Forms authentication .NET membership provider

6


7/20

Do-it Yourself Authentication

Each .aspx page checks for authorization

Redirect unauthorized users to login

Sample lines of code:

if (Session["authenticated"] == null)

Response.Redirect("Login.aspx");


8/20

Do-it Yourself Authentication

Advantages

Simple

Flexible page-by-page

Database access

Disadvantages

Need to include code in every .aspx page

Pages need to be executable Excludes .html pages, images, etc.


9/20

Windows Authentication

Select this option if users will access your web

site only from a private local network (intranet).

Authenticate against Windows user accounts

Username/password

Authorization

Specify in web.config

First match algorithmDirectory by directory


10/20

Windows Authentication

Benefits:

Secures every file type

Use existing Windows accounts

Intranet

Not public web

Fine-level control of permissions

LimitationsUsers need Windows account on server


11/20

Forms Authentication

Create login page

.aspx file

access database, other data sources

Authentication ticket issued Encrypted cookie

Redirects back to requested page

How to Configure

web.config fileAuthentication mode=Forms

Root directory of application

Create Login Page


12/20


Select this option if users will access your website from the public internet.

Forms authentication identifies the user by

prompting them to enter their credentialsthrough a web form.

When a user attempts to access anunauthorized resource, they are automatically

redirected to the login page where they canenter their credentials.

The submitted credentials are then validatedagainst a custom user store - usually a

database.


13/20


After verifying the submitted credentials, a formsauthentication ticket is created for the user.

This ticket indicates that the user has been

authenticated and includes identifyinginformation, such as the username.

The forms authentication ticket is (typically)stored as a cookie on the client computer.


14/20

FormsAuthentication Class

Namespace

System.Web.Security.FormsAuthentication

Manages forms-authentication services for Web

applications. Methods:

RedirectFromLoginPage(stringuserName, bool

createPersistentCookie)

Redirects an authenticated user back to the originally requestedURL or the default URL, and write a cookie named ASPAUTH

containing an Authentication Ticket.

RedirectToLoginPage()

Redirects the browser to the login URL.


15/20

ASP.NET Membership Provider

Drag & Drop controls

Implements Forms authentication

No code required

Automatically creates SQL Server Database

Can define users & roles


16/20



17/20



18/20



19/20


No code

Magical

Many configuration options

Password recovery

Change password control

Sends email

Create groups (programmatically)Assign users to groups


20/20

Reference

http://msdn.microsoft.com

Documents

[Lesson] Forms Authentication.pptx