ASP. NET Form Verification part.1 (understanding Form Verification)

ArticleDirectory

• 1. Why form verification?
• 2. Why not use form verification?
• 3. Why not implement cookie verification by yourself?
• 4. Form Verification

As long as you do not wantProgramTo use a Windows-based account, you should use this type of authentication.

Form Verification is a comprehensive verification system based on two concepts. The first is a login page, used to verify the user (compared with the database or other data storage ). Second, this architecture will establish security again upon every requestContext(Work Based on cookies). In this way, you only need to log on once.

 

Introduction to Form Verification

Form Verification is a ticket-based (Ticket-basedIs also known as a token-based system. This means that after a user logs on to the system, they get a ticket containing the basic user information. The information is stored in encrypted cookies, which are bound together with the response. Therefore, each subsequent request is automatically submitted to the server.

When an anonymous user is requested to access a page, ASP. NET runs to verify whether the form ticket is valid. If it is invalid, ASP. NET automatically redirects the user to the logon interface. You must create this logon page and verify the creden。 submitted on this page. If the user authentication is successful, youNotify ASP. NET that the architecture is successfully verified (call a method of the formsaythentication class), the runtime automatically sets the authentication cookie (including the ticket), and then assigns the user the access permission to this page..

All you have to do is configure Form Verification in the web. config file, create a logon page, and verify the creden。 on the logon page.

 

1. Why form verification?

• You have full control over verificationCode. Form Verification is implemented in ASP. NET, while windows verification or passport verification is different.
• You can have full control over the appearance of the login form. You can customize the page. If you do not want to do this,You can use advanced membership APIs and ASP. NET security controls. They contain an existing easily customized logon control.The appearance flexibility is not available in the other two verification methods. For Windows authentication, you must use a browser to collect creden。. For passport authentication, you must leave your website to access the passport site.
• Applicable to any browser. Form Verification uses standard HTML as the user interface. Because the login form can be formatted in any way, you can even use it on mobile devices.
• It allows you to decide how to store user information.

 

2. Why not use form verification?

• You must create a user interface for user login.. Things have two sides. After all, it brings about additional work (but not much work ). It should be noted that form verification only establishes a verification system framework, rather than a complete and ready-to-use built-in system.
• You must maintain the directory where the user creden are located.. Not only do you need to design a scheme to save user information, but you also need to ensure that they are saved securely.
• You must take additional preventive measures to prevent Interception during network transmission.. The credential information is sent to the server in plain text format from the browser, which means that anyone who intercepts them can read them. This is obviously not a secure solution. The solution is to use SSL. Now, the correct view is to use SSL to ensure the security of the login page, rather than the security of the entire application. You can configure form verification to encrypt and sign cookies. In addition, cookies should not contain sensitive information, and therefore do not contain passwords for verification.

 

3. Why not implement cookie verification by yourself?

Form Verification uses cookies to grant authentication tickets to clients and users, also known as Cookie verification.On the surface, it seems like a simple system. You may ask why you don't use cookies or session variables for verification?

Very simple. Developers do not need to implement various functions from session status to Web framework in ASP. NET. ASP. NET not only saves your trouble, but also provides secure, strictly tested, and scalable implementations.

Some advantages of ASP. NET form verification are as follows:

• Form Verification cookies are secure
• Form Verification is fully tested
• Form Verification is integrated with security classes in. net.

1. ensure the security of the authentication cookie

By default, the form verification module encrypts the authentication information before it is stored in the cookie. When the cookie returns to the server, it uses a hash code to verify whether the cookie has been modified.These two processes ensure that these cookies are extremely secure (most self-made cookie verification is quite insecure ).

 

2. Form Verification has been well tested

Form Verification is a major part of ASP. NET, which has already been used in many web programs and sites. So many people use it, and the defects will soon be discovered, published, and compensated. On the other hand, if you create your own cookie verification system, you will not have the advantage of this universal test.

 

3. integrated ASP. NET Security Framework

All types of ASP. NET authentication use a unified framework. Form Verification is integrated with this framework. For example, itIntegrates the security context (iprincipal) object and the user identity (iidentity) object.

 

4. Form Verification

The most important part of Form Verification isFormsauthenticationmodule,It is an httpmodule class used to detect existing form verification tickets in the request..

If the ticket is invalid and the user accesses a protected resource, it automatically transfers the user's request to the Web. the login page defined in config, which is not even exposed to these protected resources at runtime.

If the ticket is valid, this module automatically creates a security context by initializing the httpcontext. Current. User attribute. This attribute contains the default instance of a genericprincipal object, and this instance contains a formsidentity instance with the same name as the currently logged-on user.

Basically, you don't need to deal with this module directly. The interfaces of this module include the classes in the following table, which are part of the system. Web. Security namespace:

Class Name	Description
Formsauthentication	This is the main class that interacts with form verification. Provides basic configuration information, allowing you to create bills and set cookies. If the user creden are successfully verified, the user is automatically directed to the original request page.
Formsauthenticationeventargs	Formsauthenticationmodule triggers an authenticate event. You can capture this event. Event parameters are packaged and passed through an instance of this class. It contains basic information about verified users.
Formsauthenticationticket	Provides information that the user will be encrypted and stored in the authentication cookie.
Formsidentity	Iidentity implementation for form verification. The ticket attribute is added, which exposes Form Verification tickets. You can access additional information in this ticket, such as cache role information in simple scenarios.
Formsauthenticationmodule	This is the core of Form Verification. It establishes the context and automatically jumps to the logon page when necessary.

 

In most cases, you will use the formsauthentication class and formsidentity class, which represent a successfully verified user in your application.In the next article, I will describe how to use Form Verification in applications.