Asp. NET security is a very important aspect of Web applications that involves a wide range of content that does not explain all the security specifications in an article, and this article describes how to build secure asp.net applications with IIS and forms authentication. It is currently the most widely used authentication/authorization method.
This article describes how asp.net1.1 and asp.net2.0 are implemented on forms authentication, and what improvements or changes have been made to asp.net2.0 compared to the previous version. I believe that readers have seen many such articles, not on the Internet or some professional books, Recently, the Model & Practice team members released the WCF Security Model Guide, it is obvious that the construction of Web site security is always an outdated topic, the author believes that this article is definitely your favorite reference.
ASP. NET security principle of work
Web sites have a common security requirement: specific pages allow only certain members or other authenticated users to browse. Making the most of forms authentication is the best way.
Authentication
From the implementation mechanism, asp.net1.1 is consistent with the asp.net2.0 security model. First configure the Web site for Forms authentication mode, after which the user accesses the site's url,forms The authentication system redirects unauthenticated requests to the specified login page. The user enters the credentials (user name password) and submits the page. If the validator verifies that the user's identity is legitimate, a specific cookie (. NET1.1 does not support no cookie mode) is issued to the client. It represents the user's authentication ticket. In such subsequent requests, the client browser sends the cookie to the server, and if the cookie is valid, the user authenticates and allows access to the original requested resource.
Authorized
If the user's request is validated, but the URL he requested is allowed to be accessed by the user, authorization is used. You can use the application configuration file for a friend. You can also work with code in your program to verify that the user is eligible to access the resource. If authorization fails, asp.net Redirects the user to the login page. If the user is authorized, the user is allowed access to the protected resource.
asp.net1.1 Implementation Method
The implementation of asp.net1.1 is very simple, but we still need to write some code, and below we will do it step-by-step. For more information on the application configuration section, refer to the MSDN documentation.
Copy Code code as follows:
<configuration>
<system.web>
<authenticationmodeauthenticationmode= "Forms" >
<formsnameformsname= ". Aspxcookieauth "Loginurl=
"Login.aspx" protection= "All" timeout= "path="/"/>
Authentication>
<authorization>
<denyusersdenyusers= "?" />
Authorization>
System.web>
<locationpathlocationpath= "Admin" >
<system.web>
<authorization>
<allowrolesallowroles= "Admins"/>
<denyusersdenyusers= "*"/>
Authorization>
System.web>
Location>
Configuration>
a tip for IDC to strengthen ASP.net 1.1/2.0 security
asp.net 1.1:
Open C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\machine.config
Set up:
< location allowoverride= "false" >
< identity impersonate= "true" Username= "password=" "/>
asp.net more than 2.0:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config
Set up:
< identity impersonate= "true"/>
In the absence of these two items, add separately:
< location allowoverride= "true" > Change to:< location allowoverride= "false" >
< system.web>
< securitypolicy>
< trustlevel name= "full" policyfile= "internal"/>
< trustlevel name= "high" policyfile= "Web_hightrust.config"/>
< trustlevel name= "Medium" policyfile= "Web_mediumtrust.config"/>
< trustlevel name= "low" policyfile= "Web_lowtrust.config"/>
< trustlevel name= "minimal" policyfile= "Web_minimaltrust.config"/>
</securitypolicy>
< trust level= "full" originurl= "/>
< identity impersonate= "true"/> <!--add--> here
</system.web>
</location>
