Asp. NET program Security

1, identity-Who am I

In considering identity, we can describe ourselves with several unique features. For example, I am a blonde woman who likes to watch sci-fi movies and assemble PCs, but this information is not necessary for anyone interested in my badminton skills. The identity information stored in the site is likely to relate only to certain aspects of a person. For example, a shopping site saves the user's name, phone number, e-mail address, and home address, which are related to the sale of the product. They may not care about your personal interests (unless they are as big as Amazon), so they don't need to keep this kind of information about users, but that doesn't prevent them from having identity information about them.

The concept of identity, which I am, is a collection of a wide range of actual situations. You may have written a lot of facts on your resume, but these are also related only to potential employers. What to save and delete in your resume is up to you. The same is true when you save information about a member of a site, and you must determine which facts of the member you want to save at the development stage.

2, authentication-this is me

When attempting to log on to a Web site, users are required to enter certain certificates; For example, the combination of a mailing address and its password. The site must then determine whether the user is the person it claims to be, so the combination of e-mail addresses and passwords entered by the user must match the specific mailing address and password combination saved in the server file.

The process of authentication is the process of proving that you are the person you claim to be. Many sites, whether they are retail goods or community services, use a combination of e-mail addresses and passwords as an authentication method, a time-tested approach. Although this method is not absolute security, as long as the choice of a reliable password and strict confidentiality, while the site's code through rigorous testing, then the user's profile will only be used by the user himself.

3, authorization--that's what I can do.

After you enter a user name and password to the Web site, the Web server will not only verify that the password and user name match, but also see what permissions the site administrator has granted to the user. The next step after authentication is authorization, which retrieves more information about the type of user account you have.

For example, take a bank website for example. After the user's logon information has been validated, the server will view the user's permissions on that site. Like most users, you can search for accounts, transfer funds between accounts, or pay bills. However, if a bank is threatened with a security threat (similar to phishing (phishing) e-mail that spreads over the Internet), you may find yourself suddenly unable to add any Third-party proxy orders through this online application until the security crisis is lifted. The shutdown of a feature is likely to be controlled by an administrator who sets a special tag for some or all of the users, telling the user on the page that they no longer have permission to modify their account details.

4, Login site

The process of logging on to the site, from the user's point of view, is to enter a set of certificates, and then according to their profile to see the different user interface process. Usually, the user's certificate is a combination of user name plus password; However, for more secure sites, such as bank sites, you can log in other ways, including pin and security authentication. The basic principle of authentication is the same if you do not consider the method of routing authentication certificates to the server. Once the validation is complete, it is simpler to query the user's permissions through the authentication mechanism.