Authenticating Users in an ASP.NET Application - Sfsu

hotbroodΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

99 εμφανίσεις

Website Security


ISYS 512

Authentication


Authentication is the process that determines
the identity of a user.


Web.config file


<authentication> node


Options:


Windows Authentication: Authentication is handled
by the Windows server.


For IntraNet


Forms Authentication: For Internet, public access


Passport

Forms Authentication


Use username and password to
authenticate user.


Usernames and passwords can be stored in a
database table, or Web.Config file.


Once the Forms authentication is enabled,
pages cannot be accessed unless the user
has the proper authentication. Without
authentication, user is redirected to a login
page.


If authenticated, an authorization ticket is
issued in the form of a cookie and user is
redirected back to the requested page.


Enabling Forms Authentication


Set the authentication mode for the application
by modifying the authentication section in the
application root web.config file.


Deny access to anonymous users by modifying
the authentication section in the web.config file.


Create a login page that enables users to enter
their usernames and passwords.


If authenticated, an authorization ticket is issued
in the form of a cookie.



FormsAuthentication Class


Import system.web.security namespace.


Methods:


Authenticate:


Validates a user name and password against credentials
stored in the configuration file for an application.


RedirectFromLoginPage(String, boolean)


Redirect user back to the page that sent the user to the login
page, and write a cookie named .ASPXAUTH containing an
Authentication Ticket.


SignOut


Removes the forms
-
authentication ticket from the browser.


RedirectToLoginPage
()


Redirects the browser to the login URL.



User Names & Passwords Are Stored in
Web.Config File

<configuration>

<system.web>


<compilation debug="true" strict="false" explicit="true"
targetFramework="4.0" />



<authentication mode="Forms">


<forms loginUrl="Webform2.aspx" >


<credentials passwordFormat="Clear">


<user name="user1" password="password1"/>


<user name="user2" password="password2"/>


<user name="user3" password="password3"/>


</credentials>


</forms>


</authentication>


<authorization>


<deny users="?" />


</authorization>

</configuration>

Using FormsAuthentication’s
Authenticate Method

If (FormsAuthentication.Authenticate(Login1.UserName,
Login1.Password)) Then


FormsAuthentication.RedirectFromLoginPage(Login1.UserName,
True)


Else


Response.Write("Invalid Credentials: Please try again")



End If

Note: Using a Login Control

User Names & Passwords Are Stored in a
Database Table

<configuration>


<system.web>


<authorization>


<deny users="?"/>


</authorization>


<authentication mode="Forms">


<forms loginUrl="Login.aspx" />


</authentication>


</system.web>

</configuration>

LogIn Example

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Button1.Click


Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:
\
SalesDB2007.accdb"


Dim objConn As New OleDbConnection(strConn)


Dim strSQL As String = "select password from users where
userID='" & TextBox1.Text & "'"


Dim objComm As New OleDbCommand(strSQL, objConn)


objConn.Open()



If TextBox2.Text = objComm.ExecuteScalar Then


FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, True)


Else


Response.Write("Access denied")


End If


End Sub

SignOut Demo


A signOut page with a button to SignOut;
Then redirect to the home page and
trigger the authentication again.


FormsAuthentication.SignOut()


Response.Redirect("webform1.aspx")


Web Site Administration Tool


From VS 2010, click Project/ ASP.Net
Configuration to open Web Site
Administration Tool.


Select Authentication type:


Windows authentication


Forms authentication


Manage users


Manage roles


Manage access rules

Access Rules



A
llow or deny access to a particular directory by
user name or role.


Use Web Site Administration Tool

to create and
manage access rules and it will
create an
authorization section
with Allow or Deny
elements
in the
web.config

file for that directory.


The permissions established for a directory also
apply to its subdirectories, unless configuration
files in a subdirectory override them.


Users:


ALL: Including authenticated and anonymous users.


Anonymous: Unauthenticated users.

User Accounts and Roles


Managing user accounts and roles we can
define authorization rules for accessing a
particular ASP.NET page or directory

for a
particular user or
role.


How to Create Users and Roles


Must start SQLExpress service.


By default, ASP.Net saves users and roles data in a
SQL Server Express file that is stored in App_Data
folder.


Click Show All Files


file: App_Data
\
ASPNETDB.MDF


From VS 2010, click Website/ASP.Net
Configuration to open the Web Site
Administration Tool.


Click Security


Create User


Create Role


Create Access Rules

F
orms
A
uthentication
T
icket


After verifying the submitted credentials, a
forms
authentication ticket

is created for the user. This
ticket indicates that the user has been
authenticated and includes identifying
information, such as the username. The forms
authentication ticket is (typically) stored as a
cookie on the client computer. Therefore,
subsequent visits to the website include the
forms authentication ticket in the HTTP request,
thereby enabling the web application to identify
the user once they have logged in.

Membership Class


System.Web.Security.Membership


ASP.NET membership
class
gives you a
built
-
in way to validate and store user
credentials.


Including users created by Website
Administration Tool and CreateUserWizard.


Method:



ValidateUser
(
string

username
,
string

password
)


Authenticate Users Using
Membership Class

If Membership.ValidateUser(Login1.UserName, Login1.Password) = True Then


FormsAuthentication.RedirectFromLoginPage(Login1.UserName, True)


Else


Response.Write("Invalid")


End If

Example


A website with a public area, such as the home
page, a restricted area for members only, and
an area for website’s administrator only.



The restricted area will be a subfolder of the
website’s root directory.


Users:


Administrator


Members: Members data are stored in a regular
database.


Example: Sales database’s Users table with UserID,
Password and Email fields.


Anonymous users


Step 1: Create user and role


Step 2: Create access rules:


Public area (root directory): Allow All


Membership only area:


Rule 1: Allow All


Rule 2: Deny Anonymous


Administrator only area:


Rule 1: Deny All


Rule 2: Allow administrator


Step 3: Create Login.Aspx page


Password textbox:


TextMode property: password

Code Example: One Login Page to Handle
Two Types of Authentication


Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:
\
SalesDB2007.accdb"


Dim objConn As New OleDbConnection(strConn)


Dim strSQL, emailAddress As String


emailAddress = TextBox1.Text


strSQL = "select * from users where UserID= '" & TextBox1.Text & "'"


Dim objComm As New OleDbCommand(strSQL, objConn)


objConn.Open()


Dim objDataReader As OleDbDataReader


objDataReader = objComm.ExecuteReader()


If objDataReader.Read() Then


If TextBox2.Text = objDataReader("password") Then
FormsAuthentication.RedirectFromLoginPage(objDataReader("UserID"),
createPersistentCookie:=True)


End If


End If


If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) = True Then


FormsAuthentication.RedirectFromLoginPage(TextBox1.Text,
createPersistentCookie:=True)


End If

ASP.NET Login Controls


The ASP.NET login controls provide a login
solution for ASP.NET Web applications without
requiring programming.


By default, these controls use SQLExpress database to
manage users.


Login control


CreateUserWizard


ChangePassword control

Cookies

Data in Cookies


Which web site set the cookie


Expiration date


DateTime data type


TimeSpan data type


One or more pieces of data


Keys: A collection of cookie’s names


Define a new cookie:


Dim CookieCID as new HttpCookie(“cid”)


Add to: Response.Cookies


Response.cookies.add(cookieCID)

Cookie’s Properties


System.Web/HttpCookie


Name


Value


Expires


To write a cookie:


Response.Cookies.Add(cookieObj)

Creating Cookies

dim cookieCID as New HttpCookie("cid")

dim cookieCNAME as new HttpCookie("cname")

dim dt as dateTime=dateTime.now()

dim ts as new TimeSpan(30,0,0,0)

cookieCID.value=
textbox1
.text

cookieCname.value=
textbox2
.text

cookieCID.expires=dt.add(ts)

cookieCname.expires=dt.add(ts)

response.cookies.add(cookieCID)

response.cookies.add(cookieCNAME)


Note: The name(or key)of cookieCID is “cid”

FireFox: Tools/Options/Privacy

Reading Cookies

Dim custid as string

Dim custName as string

custid=request.cookies("cid").value

custname=request.cookies("cname").value


Using Cookie with DataReader

Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:
\
SalesDB2007.accdb“


Dim objConn As New OleDbConnection(strConn)


Dim strSQL As String


Dim objDataReader As OleDbDataReader


Dim cid As String


cid = Request.Cookies("CID").Value


strSQL = "select * from webcustomer where CustID= '" & cid & "'"


Dim objComm As New OleDbCommand(strSQL, objConn)


objConn.Open()


objDataReader = objComm.ExecuteReader()


If objDataReader.Read() = True Then


Session("cname") = objDataReader("CustName")


Response.Write("<hr>Welcome:" & objDataReader("CustName") & "<hr>")


Else


Response.Write("<hr>We don't have your record <hr>")


End If


objConn.Close()

Demo:ASPNET/CookieGreeting.aspx

SQL Injection


"SQL Injection" is an
unverified/unsanitized user input
vulnerability, and the idea is to convince
the application to run SQL code that was
not intended.


Exploits applications that use external
input for database commands.


SQL Injection Demo


On a web page that takes customer ID entered
in a textbox as input, then displays the
customer’s data.


1. Retrieve all records:
In the textbox, enter:


‘ OR 1=1 OR CID = ‘

2. Guess table name or field name:


‘ AND 1=(SELECT COUNT(*) FROM
Orders
) AND
CID=‘

3. Finding some users:


' or cname like 'S%' or cid=‘



SQLInjectionDemo



Demo

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Button1.Click


Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:
\
SalesDB2007.accdb"


Dim objConn As New OleDbConnection(strConn)


Dim strSQL As String = "select * from customer where cid = '" &
TextBox1.Text & "'"


Dim objComm As New OleDbCommand(strSQL, objConn)


Try


objConn.Open()


Dim objDataReader As OleDbDataReader


objDataReader = objComm.ExecuteReader()


GridView1.DataSource = objDataReader


GridView1.DataBind()


Catch except As SystemException


Response.Write(except.Message)


End Try


End Sub