[Lesson] Forms Authentication.pptx
Transcript of [Lesson] Forms Authentication.pptx
-
7/29/2019 [Lesson] Forms Authentication.pptx
1/20
ASP.NET SECURITYTerminologies, ASP.NET Approaches
-
7/29/2019 [Lesson] Forms Authentication.pptx
2/20
Authentication
Authorization
Role-based security
Security Concepts and
Terminologies
-
7/29/2019 [Lesson] Forms Authentication.pptx
3/20
3
Authentication vs. Authorization
Authentication
Process of identifying the user
User provides credentials
Username/ password
ID card, key, finger print, eye scan,
Commonly done at login
AuthorizationPermissionsWhich resources user is allowed to access
Type of access
Read, write, modify, delete, change permissions
3
3
-
7/29/2019 [Lesson] Forms Authentication.pptx
4/20
Example: Ecommerce
Authentication
Who are you?
Customer
Admin/ Seller
Authentication
What are you allowed to do?
Customer
Browse products, purchase,
Admin
Manage products, view orders,
-
7/29/2019 [Lesson] Forms Authentication.pptx
5/20
ASP.NET Security
-
7/29/2019 [Lesson] Forms Authentication.pptx
6/20
ASP.NET Approaches
Do-it yourself
Windows authentication
Forms authentication .NET membership provider
6
-
7/29/2019 [Lesson] Forms Authentication.pptx
7/20
Do-it Yourself Authentication
Each .aspx page checks for authorization
Redirect unauthorized users to login
Sample lines of code:
if (Session["authenticated"] == null)
Response.Redirect("Login.aspx");
-
7/29/2019 [Lesson] Forms Authentication.pptx
8/20
Do-it Yourself Authentication
Advantages
Simple
Flexible page-by-page
Database access
Disadvantages
Need to include code in every .aspx page
Pages need to be executable Excludes .html pages, images, etc.
-
7/29/2019 [Lesson] Forms Authentication.pptx
9/20
Windows Authentication
Select this option if users will access your web
site only from a private local network (intranet).
Authenticate against Windows user accounts
Username/password
Authorization
Specify in web.config
First match algorithmDirectory by directory
-
7/29/2019 [Lesson] Forms Authentication.pptx
10/20
Windows Authentication
Benefits:
Secures every file type
Use existing Windows accounts
Intranet
Not public web
Fine-level control of permissions
LimitationsUsers need Windows account on server
-
7/29/2019 [Lesson] Forms Authentication.pptx
11/20
Forms Authentication
Create login page
.aspx file
access database, other data sources
Authentication ticket issued Encrypted cookie
Redirects back to requested page
How to Configure
web.config fileAuthentication mode=Forms
Root directory of application
Create Login Page
-
7/29/2019 [Lesson] Forms Authentication.pptx
12/20
Forms Authentication
Select this option if users will access your website from the public internet.
Forms authentication identifies the user by
prompting them to enter their credentialsthrough a web form.
When a user attempts to access anunauthorized resource, they are automatically
redirected to the login page where they canenter their credentials.
The submitted credentials are then validatedagainst a custom user store - usually a
database.
-
7/29/2019 [Lesson] Forms Authentication.pptx
13/20
Forms Authentication
After verifying the submitted credentials, a formsauthentication ticket is created for the user.
This ticket indicates that the user has been
authenticated and includes identifyinginformation, such as the username.
The forms authentication ticket is (typically)stored as a cookie on the client computer.
-
7/29/2019 [Lesson] Forms Authentication.pptx
14/20
FormsAuthentication Class
Namespace
System.Web.Security.FormsAuthentication
Manages forms-authentication services for Web
applications. Methods:
RedirectFromLoginPage(stringuserName, bool
createPersistentCookie)
Redirects an authenticated user back to the originally requestedURL or the default URL, and write a cookie named ASPAUTH
containing an Authentication Ticket.
RedirectToLoginPage()
Redirects the browser to the login URL.
-
7/29/2019 [Lesson] Forms Authentication.pptx
15/20
ASP.NET Membership Provider
Drag & Drop controls
Implements Forms authentication
No code required
Automatically creates SQL Server Database
Can define users & roles
-
7/29/2019 [Lesson] Forms Authentication.pptx
16/20
ASP.NET Membership Provider
-
7/29/2019 [Lesson] Forms Authentication.pptx
17/20
ASP.NET Membership Provider
-
7/29/2019 [Lesson] Forms Authentication.pptx
18/20
ASP.NET Membership Provider
-
7/29/2019 [Lesson] Forms Authentication.pptx
19/20
ASP.NET Membership Provider
No code
Magical
Many configuration options
Password recovery
Change password control
Sends email
Create groups (programmatically)Assign users to groups
-
7/29/2019 [Lesson] Forms Authentication.pptx
20/20
Reference
http://msdn.microsoft.com