Security in ASP.NET applications

Usually, an ASP.NET Web site is accessible by anyone who connects to the server that hosts via a local network or Internet. Although this situation is ideal for a variety of web applications, but it is not always the appropriate choice of project (for example, an e-commerce site has as a prerequisite to the security of financial transactions made by its users, which is not favored by this accessibility) .

ASP.NET provides a security model for the protection of powerful web applications and profoundly flexible, but can start to create some confusion because of different levels that it includes.

Most of the work of a programmer to manage web application security is to write code but not in determining the appropriate places for the implementation of different security strategies. The first step is therefore to decide which areas require the application of security controls and what should be protected.

The concept of security is not complex but encompasses various aspects and levels and thus often ends up being considered complex. Consider, for example, an e-commerce site that allows users to view summaries of your recent orders. The first line of defense that a site like this is to handle the login procedure, by which each user is identified, before they can see their data. This is just one of the layers of security that must manage the site because another, for example, the protection of databases containing sensitive data and more protection of financial transactions (using encryption). From this simple example you can imagine the variety of things to consider.

When designing a web application is therefore appropriate to consider the different scenarios of attack in which the same may be involved, although it is very difficult to identify in advance all. For this reason it is advisable to split the security on multiple levels.

As part of the web application requests are handled initially by the IIS web server, which examines the file type. If the type is valid for ASP.NET server passes the request so that it is processed.

The following image (taken from the Microsoft site) exemplifies these steps

As you can see the web client and ASP.NET applications interact with the IIS server and it determines if the client requests may come or not applications. The operating system is on the other hand interacts with the applications (via the. NET Framework), with both the IIS server. In this scheme you can apply security at several points.

• <<
• 1
• 2
• 3
• 4
• 5
• >>