Asp. NET security Certification (iii): Single sign-on with form forms authentication

Asp.net| Security

"Wait for a long time finally until today, wrote a long time finally on the end, but the response of netizens let me have some sadness." Hope for a long time to finally look forward to today, endure for a long time finally to write this article, those who are left out of the cold, tired does not say tired "(lyrics" Today "new interpretation). Look at People's Blog article comment is one after another, and then look at their own: "Nobody, really ..." No... Nigeria ... Alas, no one to ignore me, or go home. "Hey, haven't started to write, how did you go?" What are you doing back? "Go back to the writing industry, did you do your homework?" (Note: The assignment assigned by Http://blog.csdn.net/cityhunter172/archive/2005/11/13/528463.aspx in section sixth of section II: This project is used by two departments, Each of these departments have some specific pages for users to browse the use of the department, how to use Web.config to achieve results? ）

I do not know how many people did the homework, in fact, the answer is not difficult. Only need to verify the user name and password, take the user's department name or department code, it as a basis for the judgement on the line. It is best not to use the department's digital ID, which is not conducive to future maintenance.

There is a secret that ordinary people I do not tell him. The path attribute of the <location> node in web.config can be a relative URL path to a specific page, as follows: <location path = "Managesys/auditing.aspx" >

Well, the next step is to uncover the mystery of "a configuration file larger than the root directory web.config," a legendary machine.config hiding in the Windows system directory that governs the entire. Net Framework configuration!! Below please everybody with the warm applause, welcome us this mysterious Warrior's shining debut ...

Nine, Machine.config

Machine.config, sex unknown, age unknown, family origin: XML. Deep in the "clouds do not know where" operating system directory of certain places (note: C:\WINDOWS "or WINNT" \microsoft.net\framework\v1.1.4322 "or v1.0.3705" \config), control the "higher level" of The native configuration of the. NET Framework. Next, briefly explain its content and its relationship with Web.config.

After "Panasonic asked the lad", we finally found the hermit, open a look, obediently, full of more than 3,700 lines!! "How can I not sad, I just want to see what is the structure, but the content is too much too cumbersome ..." Remember what I often say to my colleagues: "The way people think out!" "It is not more than 3,700 lines, then we do not care whether 37 can reach 21, to handcuff it out first." It's not an XML origin, so let's just do it again, and rename it "Machine.xml." Then use IE browser to open the makeover of the hermit, the node with the note one by one closure. This time you see, is it a sense of accomplishment? If you want to thank me, let me see your comments under this article. The more the more, hehe.

What is the relationship between Machine.config and web.config? Four words--parent-child relationship. Remember when I explained the scope of Web.config in the fifth section of Part two, I mentioned two points--inheritance and coverage (see http://blog.csdn.net/cityhunter172/archive/2005/11/13/528463.aspx), The same applies here.

1. The settings in Machine.config will be used to run all the sites and their virtual directories on this machine, and the subdirectories will continue to inherit.

2, the settings in Web.config will overwrite the corresponding node settings inherited from Machine.config

Speaking of this, and then tell us a secret-"there is no secret in the world, know more people, it is not a secret secret!" ”

A, machine.config <system.web> node all content can appear in the project root directory in the web.config, that is, the contents of the web.config in the Machine.config are listed in one by one;

b, where <pages> under <system.web> node can also appear on the page, such as: HTML view, in the first line of WebForm1.aspx plus <pages> The node content validaterequest= "False" (this means that the WebForm1.aspx page text box does not enter the value, contains "<" ">" and so on dangerous code to check, the next section will be used specifically)

<%@ Page language= "C #" codebehind= "WebForm1.aspx.cs" autoeventwireup= "false" inherits= "Fromtest.webform1" Validaterequest= "false"%>

Ten, single sign-on (Sign on) prerequisites

Previously said so much about Machine.config, are in order to achieve a single sign-on to pave the way, then what is a single point of entry Sign? The literal understanding is to log in in one place, often in a asp.net distributed environment (across multiple applications on a single server or in a Web farm) as Forms authentication. For example, like now Sohu (Sohu) and Chinren (China Alumni), I do not need to login after Sohu login. Taiwan and Hong Kong have also called the single Sign "one sign on".

The first condition for this functionality is the need for a set of keys for encrypting and verifying encryption. They are located in Machine.config, modifying the <machineKey> node properties under the <system.web> node as follows:

<machinekey firstkey= "172" copyrightkey= "Cityhunter172" ad117f2f286cdcb15a9d1d4535e16db0248026939**author**cityhunter172****website**172*meibu*com****mailto** cityhunter172@126*com*****f2f286cdcb15a9d1d4535e16db0248026939 "secondkey=" Meibu "decryptionKey=" 3c89ae62ad117f2f286cdcb15a9d1d4535e16db0248026939 "validation=" SHA1 "thirdkey=" com "/>

1. ValidationKey is the key for verifying encrypted data. The minimum length is 40 characters (20 bytes) and the maximum length is 128 characters (64 bytes).

2. DecryptionKey is the key used to encrypt data. The length is only 16 characters (8 bytes) and 48 characters (24 bytes).

3, validation for data validation using the encryption type. Three ways to have "SHA1" "MD5" "3DES"

4, the guys refer to above <machineKey> try to run the following statements in WebForm1.aspx:

This. TextBox2.Text = "HT" + "TP" + "://" +firstkey+ "." +secondkey + "." +thirdkey

Please back up your machine.config before you make any changes, but don't blame me for not reminding you. The above key is not random, then we introduce the method of generating the key.

We drag the WebForm1.aspx mentioned in the previous section into the public directory of this project, and then drag a textmode=multiline TextBox3 with a button on the page to write the buttons event and function:

private void Button1_Click (object sender, System.EventArgs e)

{

String decstr = this. createkeystring (int. Parse (this. TextBox1.Text));

String valstr = this. createkeystring (int. Parse (this. TextBox2.Text));

This. Textbox3.text=string. Format ("<machinekey validationkey=\" {0}\ "decryptionkey=\" {1}\ "validation=\" sha1\ "/>", valstr,decstr);

}

<summary>

Generate cryptographically strong random Key value

</summary>

<param name= "I" >key effective length:

The valid value of DecryptionKey is 8 or 24;

Valid values for Validationkay are 20 to 64

</param>

private string createkeystring (int i)

{

System.Security.Cryptography.RNGCryptoServiceProvider rng = new  System.Security.Cryptography.RNGCryptoServiceProvider (); Cryptographic random number generator

byte[] bt = new Byte[i];

Rng. GetBytes (BT);//filling byte array with cryptographically strong random value Sequence

System.Text.StringBuilder str = new System.Text.StringBuilder ();

for (int j= 0;j<i;j++)

{

Str. Append (String. Format ("{0:x2}", Bt[j]); Hexadecimal text converted to uppercase

}

Return str. ToString ();

}

Each click button to generate a key is different, you may wish to more than a few times. Switch to HTML view, to WebForm1.aspx the first line of the validaterequest= "false" removed, and then a few more times Button1 try to see what effect, hehe ...

[1] [2] [3] Next page