Part V: securing ASP. NET Applications
Chapter 19 using forms-based authentication
Both forms authentication and passport authentication require cookie support. The difference between the two is that
Forms authentication allows developers to customize the storage of user names and passwords, such as the Web. config file, XML file, or database table.
Passport authentication uses the MS passport authentication. It is a centralized authentication method that allows you to log on at a time to ensure that the same user name and password are valid on multiple web sites.
19.1 working with forms authentication
The advantage of Forms authentication is that users and passwords can be stored in any location as needed.
Forms authentication requires cookie support from the browser for user identification
The Forms authentication classes are located under the System. Web. Security namespace. The most important classes are,
Formsauthentication, which includes several methods to work with forms authentication
Formsauthenticationticket indicates that only authentication tickets within cookies are used for Forms authentication.
Formsidentity indicates the identity of the authenticated user after using Forms authentication
Formsauthenticationmodule. This class is a module used in Forms authentication.
Enabling Forms authentication
To be able to use forms authentication, you must complete several steps,
Set the Authentication Mode in the authentication section of the web. config file, mode = "forms"
Set authorization section in the web. config file to prohibit anonymous access to the application directory deny users = "? "
Create a login page, allowing users to enter their usernames and passwords
On the login page, use the formsauthentication. redirectfromloginpage () method to redirect back to the accessed page before the login page.
The formauthentication. redirectfromloginpage () method completes two tasks,
First, create a temporary or permanent cookie based on the input parameters.
Second, return the user to the accessed page before entering the login page.
Authentication ing Forms authentication
The optional child node of the authentication section in the web. config file is forms. Forms can have the following attributes,
Loginurl. If authentication is required, the URL of the login page that the user is automatically redirected
Name, the name of the browser cookie containing the authentication ticket
Timeout indicates the cookie expiration time. The default value is 30 minutes. Not applicable to persistent cookies
Path: The Path to the cookie. The default value is/
Protection: The method used to protect cookie data. You can select all/NONE/encryption/validation. The default value is all.
Processing forms authorization
In the Web. config file, the authorization section can contain deny subnodes and allow subnodes.
The attributes of deny and allow subnodes are as follows:
Verbs, used to control whether users can use http post or get
Users, use * to represent all users, use? Represents Anonymous Users
Retrieving user information
Use the attributes of the formsidentity class to identify authenticated user information.
Formsidentity. authenticationtype. For forms authenticated users, forms is always returned.
Fromsidentity. isauthenticated indicates whether the user passes Authentication
Formsidentity. name indicates the name of the authenticated user
Formsidentity. Ticket, which identifies the cookie authentication ticket associated with the current user
The formsidentity. Ticket attribute returns the user-related cookie authentication ticket. Other information can be obtained using the formsauthenticationticket class,
Formsauthenticationticket. cookiepath, which authenticates the ticket Cookie Path
Formsauthenticationticket. expiration, date on which the cookie of the authentication ticket expires
Formsauthenticationticket. expired, bool value, indicates whether the current authentication ticket has expired
Formsauthenticationticket. ispersistent: indicates whether the authentication ticket is included in the persistent cookie.
Formsauthenticationticket. issuedate, date and time when the cookie containing the authentication ticket was created
Formsauthenticationticket. Name, user name related to the authentication ticket
Formsauthenticationticket. userdata, Which is customized by the developer and contains custom data in the authentication ticket.
Formsauthenticationticket. Version, an integer that represents the version number of the authentication ticket. Now, by default, this attribute always returns 1
Creating a sign-out page
If you are allowed to log out and program anonymous users, you can use the formsauthentication. signout () method and use the formsauthentication. sighout () method to delete session cookies or persistent cookies.
Authenticating users with the Web. config file
One of the great advantages of Forms authentication is that users and passwords can be stored in any location as needed, for example, in Web. config,
<Forms> <credentials passwordformat = "clear"> <user name = "Tom" Password = "Tom"/> </Credentials> </Forms>
The user name and password are stored on the web. in the config file, by disabling anonymous access in authorization, you can achieve that the user name must be Tom, and the password is also Tom's talent can access the site
By using the formauthentication. Authenticate () method, you can determine whether the given user name and password are in the web. config file.
Encrypting passwords in the web. config file
In the preceding example, the password is written in plain text on the web. in the config file, it is dangerous to reduce the risk by specifying the passwordformat attribute of credentials as an encryption algorithm and changing the plaintext Password attribute value to the encrypted value.
The encryption algorithm is used in formsauthentication. in the authenticate () method, the password cannot be matched because it is encrypted and the password entered by the user is in plain text. How can this problem be solved? Use formsauthentication. hashpasswordforstoringinconfigfile () method, instead of formsauthentication. authenticate () method
Authenticating users with an XML file
Besides storing the user name and password in the web. config file, you can also put the user name and password in a separate XML file.
The example in the book is stored in the passwords. xml file. In order to store the username and password separately in the XML file, four files need to be created.
Web. config, which contains authentication and authorization configuration information
Passwords. XML, which stores the user name and password files
Login. aspx: Verify the user name and password. The verification is based on the passwords. xml file.
Register. aspx, allows the user name to be registered on the site, and adds the user name and password to the passwords. xml file.
The Web. config file does not need to be mentioned more, that is, anonymous access is prohibited in the authorization section.
Passwords. the XML file is in the format of <passwords> <user> <Name> Tom </Name> <password> Tom </password> </user> </passwords>.
In login. the aspx file reads passwords using dataset. XML, and then compare the user name and password entered by the user with each record. If yes, It is formsauthentication. redirectfromloginpage () method
In register. in the aspx file, use dataset to read passwords. XML, and then compare the user name and password entered by the user with each record. If there is a duplicate, the user will re-enter it. If not, it will be inserted into the dataset, then call formsauthentication. redirectfromloginpage () method
Authenticating users with a database table
Compared with those stored on the web. config and an XML file are more commonly used in data tables. In this case, datatable is used to represent data tables, then, you can log on and register the user using a similar method stored in the XML file.
Implementing roles-based authentication
In many cases, users need to be assigned different permissions by roles. For example, BBS contains bamboo, administrators, and common registered users.
To assign roles to users, you must encode them in the application_authenticaterequest () method of the global. asax file. For example,
String [] arrroles = new string [] {"supervisors", "users "};
Context. User = new genericprincipal (context. User. Identity, arrroles );
The above two codes are used to allocate the current user to the "supervisors" and "users" roles.
Alternatively, you can use an XML file to record the role of the user. Then, in the application_authenticaterequest () method, locate the role of the user based on the user name and assign it to the current user. This is also the case if role and user information are stored in the database.
Creating a custom authentication ticket
Forms authentication uses authentication tickets stored in cookies to complete user authentication. The authentication ticket is automatically created and added to the browser when the formsauthentication. redirectfromloginpage () method is used.
Generally, the information in the authentication ticket is sufficient. If it is not enough, you can manually add an authentication ticket to the browser. For example, if you want to add some required custom information, you can create an instance of the formsauthenticationticket class, and add custom information in the userdata attribute of this instance.
Using Forms authentication and web farms
By default, the authentication ticket cookie cannot be shared among multiple servers. Because each server automatically generates its own key, if you want to share the authentication ticket cookie, you must. config or web. the following content is declared in the config file:
<Machinekey validationkey = "autogenerate, isolateapps" decryptionkey = "autogerate, isolateapps" validation = "sha1"/>
19.2 working with passport Authentication
Enabling passport Authentication
Enabling users to sign in and sign out
Retrieving user information
I am in a bad mood. I am too lazy to read it. It may be very useful. Let's talk about it later.
Chapter 20 using Windows-based authentication
20.1 working with Windows Authentication
Windows Account-based authentication is suitable for internal networks. Each machine has an account. You can use the account on the integrated Domain Controller for security verification.
20.2 impersonating user accounts
20.3 setting security policies
I am in a bad mood. I am too lazy to read it. It may be very useful. Let's talk about it later.
Chapter 21 encrypting data over the network
This part explains the SSL security protocol and looks at it later.
21.1 using the Secure Sockets Layer
21.2 running ing your server to use SSL
21.3 using SSL in ASP. NET pages
21.4 using. Net encryption classes
From: http://www.cnblogs.com/wbuild/articles/903680.html
The post is for your convenience in the future.