ASP. NET security is a very important aspect of Web applications. It involves a wide range of content and cannot be described in an article, this article describes how to use IIS and Forms authentication to build a secure ASP.. NET application, which is currently the most widely used authentication/authorization method.
This document uses ASP. NET1.1 and ASP. NET2.0 implements Forms authentication and ASP. the improvements or changes in NET2.0 compared with the previous version are described. I believe that readers have read many articles similar to this. They are on the Internet or some professional books, and recently published a guide to the WCF security model by Model & Practice team members, it can be seen that building website security is always an out-of-date topic. The author thinks this article is definitely a reference you should collect.
Working principle of ASP. NET Security
Websites have a common security requirement: only some members or other Authenticated Users are allowed to browse a specific page. It is best to take full advantage of Forms authentication.
Authentication
ASP. NET1.1 and ASP. the security models of NET2.0 are consistent. first, configure the website as the Forms authentication mode. Then, the user accesses the URL of the website. The Forms authentication system redirects unauthenticated requests to the specified logon page. user input creden username and password) and submit this page. if the validators verify that the user's identity is valid, the system sends a specific Cookie to the client. NET1.1 does not support the cookieless mode). It represents the user's identity authentication ticket. in this way, the client browser sends the Cookie to the server together in subsequent requests. If the Cookie is valid, the user passes authentication and allows access to the resources of the original request.
Authorization
If the user's request is verified, but the requested URL permits the user to access it, authorization is used. you can use the application configuration file to authorize users or use code in the program to verify that users are eligible to access the resource. if authorization fails, ASP.. NET redirects the user to the logon page. if the user has been authorized, the user is allowed to access protected resources.
ASP. NET1.1 implementation
The implementation of ASP. NET1.1 is very simple, but we still need to write some code. Next we will implement it step by step. For detailed descriptions in the application configuration section, see the relevant documentation of MSDN.
- <configuration>
- <system.web>
- <authenticationmodeauthenticationmode="Forms">
- <formsnameformsname=".ASPXCOOKIEAUTH"loginUrl=
"Login.aspx"protection="All"timeout="30"path="/"/>
- authentication>
- <authorization>
- <denyusersdenyusers="?"/>
- authorization>
- system.web>
- <locationpathlocationpath="Admin">
- <system.web>
- <authorization>
- <allowrolesallowroles="Admins"/>
- <denyusersdenyusers="*"/>
- authorization>
- system.web>
- location>
- configuration>
The preceding section describes ASP. NET security.
- XML data displayed on the ASP. NET page
- What is iframe asp. NET?
- ASP. NET lifecycle display
- Solve the Problem of ASP. net ajax script errors
- ASP. NET Applications