Security Basics and ASP.NET Support

acceptableseashoreΑσφάλεια

5 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

62 εμφανίσεις

Security Basics and
ASP.NET Support

Shane Johnson


CS526


S2008

University of Colorado
at Colorado Springs

Dr. Edward Chow


Overview


ASP.NET is a web application framework developed by Microsoft



One of the centerpieces of the Microsoft .NET Framework



The successor to Microsoft Active Server Pages (ASP)



Can author applications in any .NET compatible language, including Visual Basic
.NET, C#, and JScript .NET.



Used by sites like:


www.monster.com


www.dell.com


www.myspace.com


www.match.com


www.newegg.com



Motivation:

Explorer my interests in dynamic web
-
based content, and get familiar with
ASP.NET as a potential server
-
side solution

Security Operations in ASP.NET


Authentication


Authorization


User Accounts


Roles

Forms
-
Based Authentication


Common method of verifying the users
identity is by prompting them to enter their
credentials through a web form



When a user attempts to access an
unauthorized resource, they are
automatically redirected to the login page
where they can enter their credentials.



The submitted credentials are then
validated against a custom user store


(usually a database)

Figure 1: The Forms
Authentication Workflow

1.
Unidentified User Requests
Protected Page from
server

2.
Server redirects
unidentified user to login
page

3.
The submitted credentials
are then validated against
a custom user store
-

usually a database

4.
A forms authentication
ticket is created for the
user (stored in a cookie)

5.
User is granted access to
Protected Page

6.
Subsequent visits to the
website include the forms
authentication ticket in the
HTTP request

Example Work

<configuration>


<system.web>



<!





The <authentication> section enables configuration of the security




authentication mode used by ASP.NET to identify an incoming user.



--
>



<authentication mode="Forms" />


</system.web>

</configuration>


First I created a sample web site



After creating a sample site, I added a Web.config file and
changed the authentication configuration from the default
“Windows” to “Forms”.


Web.config file

Example Work cont.

<%@ Page Language="C#" MasterPageFile="~/
Site.master
"
AutoEventWireup
="true"
CodeFile
="
Login.aspx.cs
"


Inherits="Login" %>


<
asp:Content

ID="Content1"
ContentPlaceHolderID
="
MainContent
"
runat
="Server">


<h1>


Login</h1>


<p>


Username:


<
asp:TextBox

ID="
UserName
"
runat
="server"></
asp:TextBox
></p>


<p>


Password:


<
asp:TextBox

ID="Password"
runat
="server"
TextMode
="Password"></
asp:TextBox
></p>


<p>


<
asp:CheckBox

ID="
RememberMe
"
runat
="server"
Text="Remember Me" />


</p>


<p>


<
asp:Button

ID="
LoginButton
"
runat
="server"
Text="Login"
OnClick
="
LoginButton_Click
" />


</p>


<p>


<
asp:Label

ID="
InvalidCredentialsMessage
"
runat
="server"
ForeColor
="Red" Text="Your username or
password is invalid. Please try again."


Visible="False"></
asp:Label
>


</p>

</
asp:Content
>

Login Page

Example Work cont.

protected void
LoginButton_Click
(object sender,
EventArgs

e)


{


// Three valid username/password pairs: Scott/password,
Jisun
/password, and
Sam/password.


string[] users = { "Scott", "
Jisun
", "Sam" };


string[] passwords = { "password", "password", "password" };


for (
int

i

= 0;
i

<
users.Length
;
i
++)


{


bool

validUsername

= (
string.Compare
(
UserName.Text
, users[
i
], true) == 0);


bool

validPassword

= (
string.Compare
(
Password.Text
, passwords[
i
], false) == 0);


if (
validUsername

&&
validPassword
)


{





FormsAuthentication.RedirectFromLoginPage
(
UserName.Text
,
RememberMe.Checked
);


}


}


// If we reach here, the user's credentials were invalid


InvalidCredentialsMessage.Visible

= true;


}

Event Handler for the login button

Example Work cont.

protected void
Page_Load
(object sender,
EventArgs

e)


{


if (
Request.IsAuthenticated
)


{


WelcomeBackMessage.Text

= "Welcome back!";


AuthenticatedMessagePanel.Visible

= true;


AnonymousMessagePanel.Visible

= false;


}




else


{


AuthenticatedMessagePanel.Visible

= false;


AnonymousMessagePanel.Visible

= true;


}


}

Detecting Authenticated Visitors and Determining Their Identity


We can determine the name of the current visitor using the following
code:


string
currentUsersName

=
User.Identity.Name
;

Example Work cont.

Success! Authentication Ticket Verified

Future Work


Experiment with Role
-
Based Authorization


Create a custom interface to mange users
accounts.

Want to learn more?


You can find a comprehensive tutorial on
Security and ASP.NET at:



http://www.asp.net/learn/security/?lang=cs


References


http://support.microsoft.com/kb/305140


http://msdn.microsoft.com/en
-
us/library/4w3ex9c2(vs.71).aspx


http://www.asp.net/get
-
started/


http://www.asp101.com/articles/cynthia/
authentication/default.asp


http://authors.aspalliance.com/aspxtreme
/webapps/aspnetwebapplicationsecurity.a
spx