Manage application security ASP.Net

Often a website contains pages that should not be available to be viewed by anyone, but only from certain types of users. There is talk of user authentication with reference to the practice used to ensure that users are actually those who claim to be and this practice is based on shared information (such as a password). He speaks instead of authorizing users in reference to the practice to allow or deny based on permission and / or roles assigned to them for permission to access certain pages to specific users who are authenticated.

Software security is a topic of great relevance in recent years. When a web application runs in a Microsoft environment must consider some fundamental aspects: the security context (security context) IIS, how to authenticate users and their permissions.

Manage security on the web is an activity very similar to the typical security management of a network where you have to rely on authentication and authorization of users. However, security on the web provides for the management of clients using different platforms, so you have less control than a closed network (such as the Windows network in an office). In fact, a closed network administrators can more easily monitor the entire system, providing or denying access to users of the various resources available. The users of a web application but are much more numerous and therefore need a different approach (external infrastructure Windows) to authenticate and authorize themselves.

The first safety issue that is encountered by developing web applications in a Windows environment is to understand the security context of IIS. Virtually all access pass to a website through IIS, and, like all Windows applications, IIS is running in a specific context. When IIS is installed on a computer, the installation process creates a security identity (security identity) separate it.

And 'possible to identify the identity under which our version of IIS runs started, select a virtual directory, accessing the properties window and clicking the remote access and authentication control. At this point it opens the following window

as you can see on my computer identity is IUSR.

By default IIS handles virtual directories by using the Anonymous Authentication. When this mode is specified using the IIS user that we have just seen and makes available the resources it accessible. IIS also supports other types of authentication, including Windows authentication. In the latter case, provide to all potential users of Windows user name and password. However, this type of authentication works fine with Windows users, but for users who use other operating systems you must use another type of authentication, because the mechanism of security available to Windows users is not available for other systems and therefore the users could not authenticate.

Fortunately, ASP.NET includes the so-called Forms Authentication, a simple but effective tool introduced in verisone 1.0. It is set from the web.config file of a web application that, in addition to the elements already seen, it also contains the nodes of authentication and authorization. In the absence of such nodes ASP.NET allows unrestricted access to a website. However, if these elements are present users are redirected to a page dedicated to authentication (typically a login page where users must enter username and password).

Here is a sample web.config with these nodes

you can see that it was set as authentication method and as a form page where users are redirected to the login.aspx page.

ASP.NET includes great support for user authentication. The key element in this context is the FormsAuthentication class, which provides a range of different functions ranging from encryption of passwords, the creation of authentication cookies, through a variety of other aspects

To investigate the issue of safety in ASP.NET I invite you to refer to an article written by me and present to this page .

• <<Previous Lesson
• Help Index
• Next Lesson>>