How to Use Forms for authentication through SQL Server2000

Summary

ASP. NET Forms authentication allows users to enter creden (username and password) into Web Form to identify their identities. When receiving these creden, Web applications can check these creden。 based on the data source to authenticate users.

This module describes how to use password hash to securely store user creden in SQL Server, and how to authenticate users based on the account database contained in SQL Server.

Prerequisites

Secure storage of user creden includes two key concepts:

• Store the password summary. For security reasons, do not store the plaintext of the password in the database. This module describes how to create and store one-way hash of user passwords instead of passwords themselves. If you want to store the encrypted user password, we recommend that you use this method because it avoids key management issues related to encryption technologies.

In order to increase security and reduce the threats related to dictionary attacks, the methods described in this module combine salt (random number generated by encryption) and password before creating a password hash.

• One disadvantage of storing passwords in the database is that once a user forgets the password, the password cannot be recovered. Therefore, the application should use password prompts and store them together with the password summary in the database.

• Verify user input. When passing user input to an SQL command, such as a string in a comparison statement or a pattern matching statement, you should carefully verify the input to ensure that the final command does not contain syntax errors, make sure that the hacker does not run any SQL command on your application. It is particularly important to verify the user name provided during the login process, because the security model of the application depends entirely on whether the user can be properly and securely authenticated.

Create a Web application with a logon page

This process creates a simple Visual C # Web application, which contains a logon page where users can enter their usernames and passwords.

To create a Web application with a logon page, perform the following steps:

• Start Visual Studio. NET and create a new Visual C # ASP. NET Web application named FormsAuthSQL.

• Use Solution Explorer to rename WebForm1.aspx to Logon. aspx

• Add the controls listed in Table 1 to Logon. aspx to create a simple Logon form.

Table 1: Text ID of the Logon. aspx control type

Label

User Name:

-

Label

Password

-

Text Box

-

TxtUserName

Text Box

-

TxtPassword

Button

Register

BtnRegister

Button

Logon

BtnLogon

Label

-

LblMessage

Your Web page should be similar to the page shown in Figure 1.

Figure 1. Web form on the logon page

• Set the TextMode attribute of txtPassword to Password.

Configure Web applications for Forms authentication

In this process, edit the Web. config file of the application to configure the application for Forms authentication.

To configure a Web application for Forms authentication, perform the following steps:

1. Use Solution Explorer to open Web. config.

2. Locate the element and change the mode attribute to Forms.

3. Add the following elements as child elements and set the loginUrl, name, timeout, and path attributes, as shown below:

MS loginUrl = "logon. aspx" name = "sqlAuthCookie" timeout = "60" path = "/">

4. Add the following elements to the element to allow only authenticated users to access the application. The loginUrl attribute of the previously created element redirects unauthenticated requests to the logon. aspx page.

Develop functions for generating hash and Salt values

This process adds two utility methods to the Web application. One method generates one random salt value and the other creates a hash Based on the provided password and salt value.

To develop functions that generate hash and salt values, perform the following steps:

1. Open Logon. aspx. cs and add the following using statements to the existing using statements located at the top of the file.

Using System. Security. Cryptography;

Using System. Web. Security;

2. Add the following static methods to the WebForm1 class to generate a random salt value and return this value as a Base 64-encoded string.

Private static string CreateSalt (int size)

{

// Generate a cryptographic random number using the cryptographic

// Service provider

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider ();

Byte [] buff = new byte [size];

Rng. GetBytes (buff );

// Return a Base64 string representation of the random number

Return Convert. ToBase64String (buff );

}

3. Add the following static method to generate a hash value based on the provided password and salt value.

Private static string CreatePasswordHash (string pwd, string salt)

{

String saltAndPwd = String. Concat (pwd, salt );

String hashedPwd =

FormsAuthentication. HashPasswordForStoringInConfigFile (

SaltAndPwd, "SHA1 ");

Return hashedPwd;

}

Create a user account database

This process creates a new user account database in SQL Server, which contains a user table and a stored procedure used to query the user database.

To create a user account database, perform the following operations:

1. on the Microsoft SQL Server programs menu, click Query Analyzer and connect to the local SQL Server.

2. Enter the following SQL script. Note: you must replace the "LocalMachine" at the end of the script with your computer name ".