Comparison of several authentication methods in Asp.net

Abstract: This article introduces two common authentication methods in ASP. NET applications. The implementation of the two methods is given, and its features are analyzed and compared.
1 Introduction
ASP. NET provides four authentication methods: Windows authentication, window authentication, passport authentication, and IIS authentication. You can specify the verification type of this application or directory in the web. config file of the virtual directory. The code example is as follows.
　　
The first two methods are introduced and compared here.
　　
2 Windows Authentication
IIS performs initial verification through basic verification, digest verification, or integrated windows verification. Use this account to access requested resources. Verify that you must use a local account created in windows.
When you use Windows identity authentication, you can use an element to enable imitation so that users can access resources using the account they log on.
　　
The roles and users attributes must have at least one item. Multiple roles or users can be separated by commas. The verb attribute is optional. You can configure the Web. config file in different programs or directories to restrict the user's access to resources.
"*" Is available to indicate all roles, users, or predicates ,"?" Indicates the user who accesses the website anonymously. If multiple web. config files are configured, the configuration closest to the application file overwrites the repeated items in the configuration file in the upper-level directory.
When the program finds the first match, it does not stop processing, but traverses all the items until it finds the best choice. Therefore, you can use this function to allow access by a role, but deny access by a specific user in the role.
In IIS management tools, remove the check mark before "Allow Anonymous" in the directory attribute, and then select the verification method below: basic verification, digest verification, or integrated windows verification.
　　
3. Window Authentication
The user submits the certificate through the window provided by the program. If the application verification is successful, the system issues a cookie containing the certificate, and the user can access the application while retaining the cookie. The typical web. config configuration is as follows:
　　
Where:
(1) Name: Cookie name
(2) path: the valid path of the cookie. It is usually set to "/" to indicate the entire site.
(3) loginurl: logon page address
(4) Protection: Cookie protection level, all-use data verification and encryption; none-unprotected; encryption-only perform encryption; Validation-only perform data verification.
(5) Timeout: Cookie expiration time, in minutes.
(6) requiesll: whether to force SSL. SSL is strongly recommended.
The element is optional, indicating the algorithm for user password encryption and listing users and passwords that can access protected resources. Users and passwords can also be stored in databases or XML, and code can be written for reading and verification. We recommend that you store hash data instead of plaintext passwords.
Element specifies the generation method of the cookie encryption key. Generally, this parameter is automatically generated.
Although ASP. NET has done most of the work for us, users still need to write code to complete form verification. The formsauthentication class is used to process form-based authentication, which is located in the system. Web. Security namespace. Refer to the detailed description in msdn.
Note: The resource permission management in the window verification is only applicable to ASP. to protect other types of resources, such as text and images, you can add file ing in IIS.
　　
4. Summary and Comparison
Windows Authentication still has threats such as account hijacking and information leakage. However, when the configuration is reasonable, it has a higher reliability and a smaller attack surface than window authentication. In addition, it has a greater degree of freedom for user permission settings. However, if your account is disclosed due to improper configuration or insecure network configuration, it may cause disastrous consequences. Because the account must be an existing Windows account, it only applies to the enterprise intranet or the user's relatively fixed network. Window verification is applicable to environments with a large user base or open registration, such as large communities and forums. However, window authentication methods may be more vulnerable to attacks and threats than Windows authentication methods, such as SQL injection, cross-site scripting, and information leakage.
References:
[1] Alex Homer, Dave Sussman. By Li minbo. Translation. ASP. NET advanced programming [M]. Tsinghua University Press, 614-675.
[2] Mark M. Burnett. Translated by Liang Zhong. Hacking the code: ASP. NET Web Application Security [M]. E-Industry Press, 47-64.
[3] Zhang Bin, Zhang Hao. ASP. NET application security defects and analysis [J]. Information technology.