Implementation of asp+ Security authentication

Safety

. NET platform and its asp+ provide powerful development capabilities that every programmer cannot ignore, and preference for a language should not affect the most efficient development tool. At present, Asp+ does offer a number of functions that JSP cannot match.

Using asp+, you will really feel the freedom of using the language, you can programmatically see all the compiled information on the Web page when compiling languages like C # in asp+ pages, and using the dozens of powerful server-side controls provided by asp+, you can almost
To achieve all the functionality that the previous Client RAD development tool can achieve, asp+ can be used directly and conveniently. NET, using several simple functions, you can use XML to replace some databases or exchange information with other programs.

For the future, more and more languages will support asp+ development, and the Fujitsu US subsidiary has already launched COBOL for. NET, so COBOL can also develop asp+ applications. The only regret is that asp+ is not currently running on other platforms except the Windows series, but that's exactly what. NET is doing.

Based on the above advantages, more and more Web applications will be developed using the Asp+ method, in the implementation of such as e-commerce applications, we must pay attention to a variety of security issues, this issue involves operating systems, network management and program security, and many other aspects, limited to space, this article will introduce how to use asp+ Configuration and programs to implement secure authentication.

Related configuration of asp+

Asp+ configuration method is more special, It uses config.web this XML type of file to store configuration information, you can easily modify the content of Notepad or XML editor, the setting is defined by the subdirectory inheritance or overwrite configuration settings from the parent directory, that is, in the root directory of the Config.web file, then any next level The record will automatically inherit the configuration in this file, and if a subdirectory requires additional configuration, we can build another config.web and place it in the subdirectory. This configuration management approach is extremely beneficial for installing your application, configuration modifications, and security management.

Asp+ provides three main forms of authentication: Windows, cookies, and Passport,windows refer to Windows ' own security management, and you can secure it by setting permissions such as Windows users and IIS, for some large applications Using this method will be very complex and cumbersome. Passport mode is more convenient and safe, users can access any member station with only one username and password, and all passport-related information will be cleared when you log off, and you can use it safely in public places and believe that passport is more suitable for Internet applications. In enterprise applications, the use of cookies and SSL, IP restrictions and other network management technology can also achieve a certain degree of security.

The following is a description of the cookie configuration:

You need to build a config.web of the following, and put it under C:inetpubwwwroot (IIS default directory), for the installation of the system has been established config.web, generally in winntmicrosoft.netframeworkv ... Table of Contents.

This profile declaration is authenticated as a cookie, and when you access the ASPX file in the directory and its subdirectories, if you do not have a certified cookie, it redirects to Login.aspx. If you need a directory that does not require authentication (a program that can be applied by a user), you can build a config.web and place it in the directory below:

Programming

You need to create the Default.aspx and login.aspx two asp+ programs under the root directory.

The contents of the Login.aspx program are as follows:

<%@ Import namespace= "System.Web.Security"%>

<%@ Import namespace= "System.Data"%>

<%@ Import namespace= "System.Data.ADO"%>

Login

void Login_click (Object sender, EventArgs e) {

if (Page.IsValid)

{Adodatareader dr;

Connect the database, username and password in the ODBC Connected database QCDB table users

ADOConnection cn = New ADOConnection ("dsn=qcdb");

cn. Open ();

Adocommand cmdquestion = new Adocommand ("select Password from usersswheresname = '" + Yourname.text + "", CN);

Select the appropriate user information

Cmdquestion.execute (out DR);

Build a DataReader get the SQL results

if (Dr. Read ())//Get the corresponding first row data

if (dr["Password"]. ToString () = = Password.text)

Cookieauthentication.redirectfromloginpage (Yourname.text, abidingcookie.checked);

else//The above statement generates a cookie, which, if the user chooses Abidingcookie, permanently saves the cookie

Msg.text = "Bad password";

Else

Msg.text = "User name does not exist";

}

}

Font-size= "Runat=server"/>

do not want to enter the password next time

The contents of the Default.aspx program are as follows:

<%@ Page language= "C #"%>

Welcome here. NET of the world

private void Page_Load (Object Src, EventArgs E)

{welcome.innerhtml = "Congratulations on your Authentication" + Context.User.Identity.Name;

} private void Signout_click (Object sender, EventArgs E)

{cookieauthentication.signout ();

Press the SignOut key to clear the original cookie

Response.Redirect ("Login.aspx");

Let the user re-enter the new user name, password

}

.net authentication system prompts you to

Specifically, when an unauthenticated user browses to your site's. aspx file (note that the cookie authentication works only on the. aspx file), the system finds that the user does not have a cookie. It is then redirected to Login.aspx, and when the user enters the correct username and password, the system generates a cookie for the user and automatically redirects it to the first. aspx file that the user wants to browse and executes it, the default is directed to Default.aspx, and the Default.aspx provided above Show that you have passed the identity certificate.

Summarize

HTTP requests with corresponding cookies are considered to be from the same web browser because we use the session to track application access or specific Web browser information during sessions, so it is necessary to prevent unauthorized interception of cookie information using methods such as sniffer. You need to consider using SSL or other Secure communication link encryption methods.

For the above program, you can easily add User IP address information to the table to verify intranet users. Because cookies are like an identity card, to prevent someone from using your cookies illegally, you should have the cookie cleared with the browser's shutdown.

In short, the authentication method using cookies, combined with various encryption methods and the perfect security configuration of the operating system, can provide sufficient support for most applications that require security authentication.