asp.net| safe. NET platform and its asp+ provide powerful development capabilities that every programmer cannot ignore, and preference for a language should not affect the most efficient development tool. At present, Asp+ does offer a number of functions that JSP cannot match.
Using asp+, you will really feel the freedom to use the language, when you are programmed to see all the compiled information on the page when compiling languages like C # in asp+ pages, and with the dozens of powerful server-side controls provided by asp+, you can achieve almost all of the functionality that your previous client RAD development tools can achieve, Asp+ can be used directly and conveniently. NET, using several simple functions, you can use XML to replace some databases or exchange information with other programs.
For the future, more and more languages will support asp+ development, and the Fujitsu US subsidiary has already launched COBOL for. NET, so COBOL can also develop asp+ applications. The only regret is that asp+ is not currently running on other platforms except the Windows series, but that's exactly what. NET is doing.
Based on the above advantages, more and more Web applications will be developed using the Asp+ method, in the implementation of such as e-commerce applications, we must pay attention to a variety of security issues, this issue involves operating systems, network management and program security, and many other aspects, limited to space, this article will introduce how to use asp+ Configuration and programs to implement secure authentication.
Related configuration of asp+
Asp+ configuration method is more special, It uses config.web this XML type of file to store configuration information, you can easily modify the content of Notepad or XML editor, the setting is defined by the subdirectory inheritance or overwrite configuration settings from the parent directory, that is, in the root directory of the Config.web file, then any next level The record will automatically inherit the configuration in this file, and if a subdirectory requires additional configuration, we can build another config.web and place it in the subdirectory. This configuration management approach is extremely beneficial for installing your application, configuration modifications, and security management.
Asp+ provides three main forms of authentication: Windows, cookies, and Passport,windows refer to Windows ' own security management, and you can secure it by setting permissions such as Windows users and IIS, for some large applications Using this method will be very complex and cumbersome. Passport mode is more convenient and safe, users can access any member station with only one username and password, and all passport-related information will be cleared when you log off, and you can use it safely in public places and believe that passport is more suitable for Internet applications. In enterprise applications, the use of cookies and SSL, IP restrictions and other network management technology can also achieve a certain degree of security.
The following is a description of the cookie configuration:
You need to build a config.web for the following, and place it under C:\inetpub\wwwroot\ (IIS default directory) for Config.web that have been established when the system was installed, typically in \winnt\microsoft.net\ Framework\v ... Table of Contents.
<configuration>
<security>
<authentication mode= "Cookie" >
<cookie decryptionkey= "AutoGenerate" loginurl= "/login.aspx". Aspxauth "/>
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
</security>
</configuration>
This profile declaration is authenticated as a cookie, and when you access the ASPX file in the directory and its subdirectories, if you do not have a certified cookie, it redirects to Login.aspx. If you need a directory that does not require authentication (a program that can be applied by a user), you can build a config.web and place it in the directory below:
<configuration>
<security>
<authorization>
<allow users= "*"/>
</authorization>
</security>
</configuration>
Programming
You need to create the Default.aspx and login.aspx two asp+ programs under the root directory.
The contents of the Login.aspx program are as follows:
<%@ Import namespace= "System.Web.Security"%>
<%@ Import namespace= "System.Data"%>
<%@ Import namespace= "System.Data.ADO"%>
<title> Login </title>
<script language= "C #" Runat=server debug= "true" >
void Login_click (Object sender, EventArgs e) {
if (Page.IsValid)
{Adodatareader dr;
Connect the database, username and password in the ODBC Connected database QCDB table users
ADOConnection cn = New ADOConnection ("dsn=qcdb");
cn. Open ();
Adocommand cmdquestion = new Adocommand ("SELECT Password from Users WHERE name =" "+ Yourname.text +" ", CN);
Select the appropriate user information
Cmdquestion.execute (out DR);
Build a DataReader get the SQL results
if (Dr. Read ())//Get the corresponding first row data
if (dr["Password"]. ToString () = = Password.text)
Cookieauthentication.redirectfromloginpage (Yourname.text, abidingcookie.checked);
else//The above statement generates a cookie, which, if the user chooses Abidingcookie, permanently saves the cookie
Msg.text = "Bad password";
Else
Msg.text = "User name does not exist";
}
}
</script>
<asp:label id= "MSG" forecolor= "Red" font-name= "Verdana";
Font-size= "Runat=server"/>
<form runat=server>
<table> <tr> <td> <asp:label text= user name: runat=server/> </td>
<td> <asp:textbox id= "YourName" Runat=server/> </td>
</tr> <tr> <td> <asp:label text= Password: runat=server/> </td>
<td> <asp:textbox id= "Password" textmode= "Password" Runat=server/> </td>
<td> <asp:button id= "Btnlogin" text= "OK" runat=server/> </td>
<td> </td> </tr> <tr> <td> do not want to enter the password next time </td>
<td> <asp:checkbox id=abidingcookie runat= "Server"/> </td>
<td> </td> </tr> </td> <td> </td> </tr> </table>
</form> </td> <td width= "283" height= "1" bgcolor= "#F0F0F0" > </td>
</tr> </table> </center> </div> <p> </p> </body>
The contents of the Default.aspx program are as follows:
<%@ Page language= "C #"%>
<script runat=server>
private void Page_Load (Object Src, EventArgs E)
{welcome.innerhtml = "Congratulations on your Authentication" + Context.User.Identity.Name;
} private void Signout_click (Object sender, EventArgs E)
{cookieauthentication.signout ();
Press the SignOut key to clear the original cookie
Response.Redirect ("Login.aspx");
Let the user re-enter the new user name, password
}
</script> <body> <center>
<font face= "Verdana" >.net authentication system prompts you to </font>
<span id= "Welcome" Runat=server/><form runat=server>
<input type= "Submit" onserverclick= "Signout_click" value= "Cancel this logon identity" runat= "server"/> <p>
</form> <p> <a Href= "/adduser/" into the admin room </a> </p> </center> </body> Specifically, when an unauthenticated user browses to your site's. aspx file (note that the cookie authentication works only on the. aspx file), the system finds that the user does not have a cookie. It is then redirected to Login.aspx, and when the user enters the correct username and password, the system generates a cookie for the user and automatically redirects it to the first. aspx file that the user wants to browse and executes it, the default is directed to Default.aspx, and the Default.aspx provided above Show that you have passed the identity certificate.
Summarize
HTTP requests with corresponding cookies are considered to be from the same web browser because we use the session to track application access or specific Web browser information during sessions, so it is necessary to prevent unauthorized interception of cookie information using methods such as sniffer. You need to consider using SSL or other Secure communication link encryption methods.
For the above program, you can easily add User IP address information to the table to verify intranet users. Because cookies are like an identity card, to prevent someone from using your cookies illegally, you should have the cookie cleared with the browser's shutdown.
In short, the authentication method using cookies, combined with various encryption methods and the perfect security configuration of the operating system, can provide sufficient support for most applications that require security authentication.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.