ASP. NET security question-detailed introduction to Forms authentication (Part 1)

ASP. NET security question-froms verification details (Part 1)

In ASP. NET, forms verification is commonly used. The most important reason is flexibility. Because forms verification is a lot of details, and I don't want to say anything about it, it's not responsible for everyone and myself.

SeriesArticleLink:

ASP. NET development security issues

ASP. NET security issues-creating secure Web Applications

ASP. NET security questions-Asp. Net Security Architecture

ASP. NET security question -- ASP. Net Security Architecture -- How to Implement. Net Security

ASP. Net Security Question-Authentication and Identity Authentication Module in ASP. NET lifecycle

ASP. NET security question-detailed introduction to Forms authentication (Part 1)

ASP. NET security question-froms verification details (Part 1)

ASP. NET security questions-Forms authentication (later)-Practice

ASP. Net Security Question -- authorization question in ASP. NET (previous article)

 

This topic is as follows:
How Forms authentication works
APIs in Forms authentication

 
How Forms authentication works
We know that forms authentication is mainly based on cookies. To put it bluntly, we store user information in cookies and send it to the client. Then, We parse the cookie information sent by the client for resolution, then perform the verification. I will not describe how cookieless works here. You can refer to my other article:Introduction to ASP. NET internal mechanism (1 ).
 
When an anonymous user requests a resource and page that requires authentication before access, if forms authentication is used, the URL Authorization module redirects the user to the logon page. The previously requested URL will be saved. After the user logs on correctly, the requested URL will be redirected to the previously requested page again. I think we should have used this.

let's take a look at what happened during logon and the specific logon process? Please pay attention to some of the terms I use, because these terms have specific objects in forms, which will be very important.
1. there is a logon form in the browser. You need to enter the username, password, and other creden. and submit them to the server's ASP. to check whether the credential is correct.
2. If the credential is correct, an "authentication ticket" is created on the server ". The authentication ticket contains encrypted user information.
3. The ticket is then written into the cookie on the server side and sent to the client.
4. Then the user is redirected to the URL they originally requested.
Note: You may wonder where the original requested URL is stored? Don't worry. Now you only need to understand the above process.
5 . the first step is to switch to the URL of the initial request, assuming that the initial request page is default. aspx, now it is login from the login page. aspx switched to default. on the ASPX page, because the ticket cookie for identity authentication already exists in the browser of the client, the client changes to default. the ASPX page actually initiates a request to the server again. the first-level back-transmission in the net pipeline must go through ASP. net lifecycle: application_beginrequest, application_authenticaterequest ...... (Hope everyone understands)

But this request is the same as the first request we initiated. Why?
For the first time, we requested default. on the ASPX page, we did not provide any tickets indicating our identity, but this time we have logged on, in addition, our browser already has the cookie for our authentication ticket. In this case, in the application_authenticaterequest event, the forms authentication module obtains the cookie indicating our identity, then, use the information in the cookie to fill the context. user.
After the verification module is processed, the authorization module takes effect. In fact, the URL Authorization module will use the information we previously filled in context. User to verify whether the user is authorized to access the requested resources or pages.


APIs in Forms authentication
Before implementing forms authentication, let's take a look at the Forms authentication APIs and related classes:
Formsauthenticationmodule: HTTP module that verifies each request
Formsauthentication : Include common methods and attributes in Forms authentication (important)
Formsidentity : Forms authentication ID.
Formsauthenticationticket : Authentication ticket, the product of encrypted user information. We generally write it in cookies. We have talked about it before.
The above class is under system. Web. Security.

Next we will introduce them one by one.

Formsauthenticationmodule
It is a class that implements the ihttpmodule interface. It can be used to process the application_authenticaterequest event of each request. If the sent request already contains the cookie information, this module decrypts and parses the cookie information and constructs a genericprincipal class instance to fill in the context. and create a formsidentity instance.
Note:: After we configure Forms authentication in Web. config, we writeCodeAPIS related to forms. I talked about it in the previous article.
 
 
Formsauthentication class
This class is very important.

Note that the formsauthentication and formsauthenticationmodule names are similar and confusing.

 

The difference between them is that , Formsauthenticationmodule is an HTTP module, while formsauthenticate is a class, which has many methods and attributes. To put it bluntly, they were not associated before, but in the application_authenticaterequest event, we often call some methods and attributes of the formsauthenticate class. In addition, many formsauthenticate methods are static methods. We will not create instances of the formsauthenticate class.

Note that the formsauthenticate Authenticate Method.
As we have said before, we generally submit user information in the login form, and then the server verifies the submitted information. On the server side, we often go to the database to check whether the information is correct, however, checking in a database or other data storage (such as a file or an Active Directory) is only possible.
There is another situation. I don't know if you remember a configured node in Web. config:
<Authentication mode = "forms">
<Forms>
<Credentials>
<User name = "Xiaoyang" Password = "Xiaoyang"/>
<User name = "panyan" Password = "panyan"/>
</Credentials>
</Forms>
</Authentication>

If the above information is configured in the configuration file, we can use the Authenticate Method to check whether the user information (username and password) is provided correctly. config configures user information, that is, we store the information in the database and other places, so we cannot authenticate this method. Of course, we seldom use the authenticate method, because we cannot hard encode all user information into the configuration file, but we still need to know this method.
 
In addition, I will briefly introduce some common methods.
The redirectfromloginpage method is frequently used in formsauthenticate. This method is used every time the user's creden are verified, that is, what we said before: Jump to the page of our initial request.
This method is so simple as a "Hop", but it actually does a lot of internal tasks:
1. Create an authentication ticket for the user
2. encrypt the authentication ticket
3. Create a cookie and save the encrypted ticket to the cookie.
4. Add a cookie to the HTTP Response and send it to the client.
5. Jump and redirect the user to the page of the initial request

In addition, the formsauthenticate class has many other methods and attributes:

Formsauthenticate The two attributes involved in cookie saving by the client are:
Formscookiename : Get or set the cookie name
Formscookiepath : Get or set the cookie URL path

Note one thing about the formscookiepath attribute: Most browsers use the cookie path when determining whether the cookie is sent together with the request. (We usually configure Path = "/" in the configuration file). If the configured path is not "/", the cookie will not be sent to the server with the request.


The methods related to Cookie operations in formsauthenticate include:
Decrypt : Extract the encryption information of the authentication cookie and create formsauthenticationticket, that is, decryption.
Encrypt : Encrypted. Obtain information from formsauthenticationticket and encrypt it. In case we write the encrypted information into the cookie.
Getauthcookie : Create an authentication cookie, but do not add it to the HTTP response immediately.
Setauthcookie : Create an authentication cookie and add it to response. Cookie.
Renewticketifold : Refresh the lifecycle of the authentication cookie

getredirecturl : redirects users to the page they originally requested.
signout : indicates that the current authentication cookie expires. We commonly use the logout function.

formsidentity
you should know what identity is, it contains the username and ID. For more information, see my previous article.
formsauthenticationticket ticket
, everyone is familiar with it. formsauthenticationticket actually contains a class instance of user information.
Note: The difference between formsauthenticationticket and COOKIE:
cookie is actually a carrier, container, which contains the encrypted formsauthenticationticket.

the username attribute of the formsauthenticationticket class is the user name. We can identify different users based on this attribute.
because authentication is based on cookies, you must consider the cookie expiration issue. For example, we have a checkbox "remember me" when logging on. If it is checked, a cookie that never expires is created and is secure. I do not advocate this.

Therefore, in formsauthenticationticket, you can also set cookie attributes:
 
Expiration: Get a datetime object that indicates the cookie expires
Expired: Determine whether the cookie has expired
Ispersistent: Whether to save the cookie after the user closes the browser
Issuedate: Return the time when the cookie was originally set.

Another is cookiepath: Set the cookie storage path. As mentioned earlier, it is generally set "/".
 
In addition, formsauthenticationticket is used to identify users. At the same time, we can also use the userdata attribute of formsauthenticationticket to add additional information,Such as roleAnd the additional information can be saved in the cookie.

Let's talk about it today. Let's have a general understanding of the specific code. Let's talk about it later. Thank you !!!