ASP. NET authentication mechanism

ASP. NET provides some new authentication and authorization solutions, which is different from the previous one for developers. Fortunately, ASP. NET provides more flexible solutions. Unfortunately, this solution is based on IIS. I know that some people do not like IIS and think it is vulnerable to attacks. I have never liked ASP. The messy HTML Tag contains code, which is difficult to maintain and debug. Now we have a new solution. Let's take a look.

New ASP. net authentication mechanism (below I will use ASP. net AP only occurs when ASP. net engine execution. occurs when the aspx file is called. ASP files are not called.. net engine. All verification options are placed in an XML file. Every time you create an ASP. net project, you can find a config. web files can be set and controlled in the <Security>, <authentication>, <authorization> and other tags of the XML file. The default value is <Authentication mode = "NONE"/>, which means ASP. net will not use any authentication provider, so in this mode, Asp. the underlying implementation of net will be exactly the same as the original ASP and IIS 4/5.

A typical config. Web is usually as follows:
<! -- Authentication
This section sets the authentication protocols ies of the application. Possible modes are "Windows", "forms", "Passport" and "NONE"
-->

<Authentication mode = "NONE"/>

We will examine each possible value in <authentication> one by one, but as an open engineer, my focus will be on "Forms", and finally determine our platform environment: w2K ADV,. NET RCx, IE 6. (VS. NET Beta2 should also be acceptable, because my system has been upgraded from Beta 2 at the time of writing this article, so I can only say: I think Beta 2 is also acceptable. However, we will not discuss the situation of mode = "Cookie". This tag only occurs in ASP +, ASP after Beta 2.. NET), and then we will use the example in the SDK. Because it is simple, it can be the best start point.

Then we need to set up a directory C: \ Inetpub \ wwwroot \ Security first, then Copy the files in the original SDK FrameworkSDK \ Samples \ QuickStart \ aspplus \ samples \ security to the new directory (you can also directly decompress the attached files to this directory)

1. Mode = "None"

This mode is default. As mentioned above, its behavior is no different from that of the original ASP.
However, when you use VS. NET to generate an ASP. NET Project, this mode is generated by default.

2. Mode = "Windows"

In this mode, every page we access will be accessed through the system's Authentication. Visitors may see some confusion and the unique Authentication Window in Windows, honestly, I prefer to see Windows XP, which is more cute. Using this mode means you can quickly implement it without writing any additional code, but I think your business users will not like it and you cannot customize it as a developer.

Now you can implement this method very easily.

1. Set <authentication mode = "Windows"/> In the Config. web file.

2. Go to the control management interface of IIS to set your Application attributes. For example:

3. Visit your page and you will see this dialog box, which is interesting but definitely confusing non-professionals.

4. We use the wauth web page. Note that Mode = "Windows" is not advanced. You can only set Mode = to implement Windows Authentication.

Result

3. Mode = "Passport"

In this mode, ASP. NET engine will use Microsoft Passport's Authentication mechanism. Theoretically, this mode will be the best and effort-saving, but as currently, I want. NET is not easy to implement Passport,. NET Beta 2 class library does not fully implement the Passport 2.1 function (PassportIdentity ). microsoft currently only displays the ColdStorage example on MSDN. The implementation is basically based on Passport 1.4. Like DirectX, a dedicated DLL is also required. Information is shown in. the class library after NET RC2 has implemented functions that were not previously implemented, but it seems that this information is missing at present, so leave this information to Microsoft and Passport 3.0, we will try again in the future. I have deep confidence in Passport, and we may not be able to escape from Passport as long as we are on the Microsoft platform.

For more information about ColdStorage Passport, see the following article:

Http://msdn.microsoft.com/library/default.asp? Url =/library/en-us/dncold/html/storageauthentication. asp

4. Mode = "Forms"

In this mode, I think every open engineer will have the maximum flexibility and control, and from now on, this is the most practical and feasible way. Let's take a look at a simple example:

1. Make the following settings in the Config. Web file:

<Authentication mode = "forms">

<Forms name = ". aspxuserdemo" loginurl = "login. aspx"/>

</Authentication>

Loginurl = "string" indicates the page to which requests that fail to authentication will be directed. You can set it by yourself.

2. Then, click or write the following code in the click event handler of the login. aspx file's login button:

Void login_click (Object sender, eventargs e ){

// Authenticate user: This samples accepts only one user

// A name of new2001@msn.com and a password of 'ccboys'

If (useremail. value = "new2001@msn.com") & (userpass. value = "ccboy ")){

Formsauthentication. redirectfromloginpage (useremail. Value, persistcookie. Checked );

}

Else {

MSG. Text = "invalid credentials: Please try again ";

}

}
Here we use hard encoding and currently only allow new2001@msn.com and ccBoy as login users. During the test, we did not directly access Login. aspx requests default. aspx page, ASP. NET uses its Authentication mechanism to redirect to Login. aspx. When the user input is accepted, the default value of the initial request is returned. aspx. because we use the WebUI control of dotNET, it is more object-oriented. When we judge to execute the RedirectFromLoginPage method through FormsAuthentication, this function sends a Cookie and redirects the user to the resource originally requested. In this way, ASP. net ap does half of the work. In fact, it passively completes RedirectFromLoginPage.

Result

Next, we modify the config. web file to obtain information and generate Authentication from config. web.

1. Set the config. web file first

<Authentication mode = "Forms">

<Forms name = ". ASPXUSERDEMO" loginUrl = "login. aspx">

<Credentials passwordFormat = "Clear">

<User name = "ccBoy@msn.com" password = "ccboy"/>

</Credentials>

</Forms>

</Authentication>

<Credentials> </credentials> specifies the user name and password used to access system resources, in addition, you can customize and manage the encrypted password (we recommend that you do not place the user name and password here in actual applications)

Passwordformat can be "clear", "sha1", or "MD5" equivalent.

Clear: Save the password in plain text. Users and passwords can be directly compared with users without further conversion.

Sha1: Use the sha1 hash to save the password. During verification, the sha1 algorithm is used to hash the user password and then compare it with this value.

MD5: similar to sha1, it only uses different algorithms.

When using sha1 and MD5, you also need a special API (hashpasswordforstoringinconfigfile) to perform encryption, and then the result is saved to the config. Web file. For details, refer to the following link:

Http://msdn.microsoft.com/library/default.asp? Url =/library/en-US/cpguidnf/html/cpconformsauthenticationutilities. asp

2. Then, click or write the following code in the click event handler of the login. aspx file's login button:

Void login_click (Object sender, eventargs e ){

If (formsauthentication. Authenticate (useremail. Value, userpass. Value ))

{

Formsauthentication. redirectfromloginpage (useremail. Value, persistcookie. Checked );

}

Else {

MSG. Text = "invalid credentials: Please try again ";

}

}

The result is the same as the previous one, but this time we handed over the judgment to ASP.. net ap. We only pass the UserEmail and UserPass parameters. The Authenticate Method completes the Authentication process. the settings in <user> </user> on the web are the same.

MS document Forms Authentication Using An XML Users File shows another way to get the user name and password. For security purposes, the user and password are placed in a separate XML File. For more information, see the following link:

Http://msdn.microsoft.com/library/default.asp? Url =/library/en-us/cpguidnf/html/cpconformsauthenticationutilities. asp

In the same way, you can put the user and password in the database table as you did before, for example:

Void Login_Click (Object sender, EventArgs e ){

If (Page. IsValid)

{

SQLDataReader dr;

// Connect to the database

SQLConnection cn = new SQLConnection ("server = localhost;

Uid = myPassport; pwd = 123; database = clientPassword ;");

Cn. Open ();

// Create a command to get the question

SQLCommand require question = new SQLCommand ("SELECT Password;

From users where email = '"+ useremail. Value +"' ", CN );

Explain question. Execute (out Dr );

If (dr. Read ())

If (Dr ["password"]. tostring () = userpass. value)

Formsauthentication. redirectfromloginpage (useremail. Value, persistcookie. Checked );

Else

MSG. Text = "invalid password. Please try again ";

Else

MSG. Text = "email address not found .";

}

}

Similarly, it can be pushed to this process or it can be called with commercial logic.. NET component, or call another Web Service. From this perspective, it is already the same as Ms passport. In comparison, Microsoft is a heavyweight method.

5. mode = "mymode"

This will be discussed later, Asp. net supports the authentication and authorization scheme using our own AP. this will be a more advanced method, in fact ASP. net is more flexible and diverse than the previous version. Keith Brown discussed ASP. Net Security Issues on msdn magazine during the 11th and 12th months.

To sum up, we can see a basic ASP. net authentication, the advantage is obvious, but if you do not like IIS itself, you will also consider using other authentication schemes. Jeff Kercher's Identity Authentication in ASP. NET:. Net Security Guide will serve as a more macro guide for you to start and go deep.

Http://www.microsoft.com/china/msdn/library/dnbda/html/authaspdotnet.asp

This article describes the environment and advantages of various authentication schemes to help you select and determine the best authentication method.