ASP. NET form-based authentication for secure online access and management (2)

Supplement:

I recently read ASP. net Security advanced programming, which involves forms-based authentication, found that you have many misunderstandings, so decided to ASP. net form-based authentication for secure online access and management.

The file directory is:

+ Bin
+ Admin
-Index. aspx
-Test. aspx
-*. Aspx
-Web. config // web. config in the admin folder
Login. aspx
Web. config // web. config in the root directory
Index. aspx

 

(-) Let's take a look at the important formsauthentication methods and attributes (more search msdn)

Formscookiename
The return value is used for the current application.ProgramThe name of the configured cookie.
Getauthcookie
Creates an authentication cookie for a given user name. This does not set the cookie as part of the outgoing response, so the application has more control permissions on How to issue the cookie.
Authenticate
Given the provided creden。, try to verify the creden。 Based on the creden contained in the configured creden store.
Getredirecturl
Returns the Redirection URL of the original request that led to redirection to the logon page.
Hashpasswordforstoringinconfigfile
Given the password and string that identify the hash type, this routine generates a hash password suitable for storing in the configuration file.
Redirectfromloginpage
Redirects authenticated users back to the original requested URL.
{==========
Remarks
The redirectfromloginpage method redirects to the return URL key specified in the query string. For example, in the URL http://www.contoso.com/login.aspx? In returnurl = caller. aspx, caller. aspx is the return URL redirected by redirectfromloginpage. If the return key does not exist, redirectfromloginpage is redirected to default. aspx.
=========}
Setauthcookie
Creates an authentication ticket and attaches it to the set of outgoing responses of the cookie. It does not perform redirection.
Signout
Remove the authentication ticket.

(2) Let's thoroughly understand how the page is verified step by step

Explain our purpose again:
The admin folder is the "area" for administrators to manage the background, only through login. you can access all the pages in the admin folder after logging on to the aspx for verification. aspx form to verify whether the user is an administrator.

(1) Suppose we are in the root directory index. aspx sets a connection <a href = login. aspx> Log On As the Administrator </a>. The administrator can access login through this connection. aspx fill in the form. there is a strange mindset here. We are used to this "administrator login" connection to connect to login. aspx, in fact, here, we are wrong. We should "directly" connect to the admin folder (or any page in it). Someone asked: "Isn't it possible for common visitors to connect directly to the admin page through this connection? ", I said," Yes !, This is the beauty of form-based verification. You don't have to worry about this problem. Let's look at our two web. config! ".

Look at web. config in the admin folder.

< Configuration >
  < System . Web >
< Authorization >
< Deny Users = "? "   />
</ Authorization >
  </ System. Web >
</ Configuration >

There is a <deny users = "? "/>, That is, The unauthenticated anonymous user is absolutely prohibited from accessing this folder-Admin.
What if an anonymous user tries to connect to the page in the admin folder? Haha, it will be directed to the login. ASPX page to see the web. config in the root directory.

< Configuration >
  < System . Web >
< Authentication Mode = "Forms" >
< Forms Name = "Mycookiename" Loginurl = "Login. aspx" Protection = "All" Timeout = "30" >
</ Forms >
</ Authentication >
< Authorization >
< Allow Users = "*" />
</ Authorization >
  </ System. Web >
</ Configuration >

The Web. config in the root directory sets the authentication method and corresponding processing conditions.
<Authentication mode = "forms"> to set the Authentication mode = "forms ";
<Forms name = "mycookiename" loginurl = "login. aspx" Protection = "all" timeout = "30"/>
Have you seen loginurl = "login. aspx? That is to say, if an anonymous user tries to connect to a protected page (Admin folder), it will be directed to login. aspx to log on to this anonymous user!

(2) We clicked the "administrator login" link and came to login. aspx. Now you will find that the URL address is actually: Login. asxp? Returnurl = admin/index. asp (actually the page we requested). If we have passed the verification in login. asxp, the page will automatically jump to the returnurl.

Look at login. AXP:

< ASP: textbox ID = Textname Runat = Server/> account
<Asp: textpassword ID = Textpassword Runat = Server> Password
<Asp: checkbox ID = Mycheckbox Runat = Server/> remember the password and log on permanently
<Asp: button runat = Server Onclick = Btnloginclick Text = Login/>

Process Event 1 (when the user clicks the login button)

Void Btnloginclick (Object sender, eventargs E)
{
 If(User verification passed)//This can be done by placing your own DLL file in the bin directory to verify the user and return a bool.
 {
Formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked );
}
}

1, formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked:
-> Setting a verification cookie indicates that the user has passed the verification.
-> Return the page you requested (admin/index. aspx );
2. This sentence is equivalent to the following two sentences:
Formsauthentication. setauthcookie (username. Text, mycheckbox. Checked );
Response. Redirect (formsauthentication. getredirecturl (username. Text, mycheckbox. Checked );
3. If the mycheckboxt control has been selected, write the cookie and save it for 50 years. Of course, we can change the time:
Process Event 1 (when the user clicks the login button)

Void Btnloginclick (Object sender, eventargs E)
{
  If (User verification passed) // This can be done by placing your own DLL file in the bin directory to verify the user and return a bool.
  {
Httpcookie authenticationcookie=Formsauthentication. getauthcookie (username. Text, mycheckbox. Checked );
Authenticationcookie. Expires=Datetime. Now. adddays (3);//3 days
Response. Cookies. Add (authenticationcookie );
 
Response. Redirect (formsauthentication. getredirecturl (username. Text, mycheckbox. Checked );
}

4. There is a bug here. I don't know why it is like this. Let's do this:
Process Event 1 (when the user clicks the login button)

Void Btnloginclick (Object sender, eventargs E)
{
  If (User verification passed) // This can be done by placing your own DLL file in the bin directory to verify the user and return a bool.
  {
Formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked );
Response. Redirect ("Http://www.QuickResponser.com");
}
}

What will happen? It is reasonable to execute formsauthentication. redirectfromloginpage (username. Text, mycheckbox. Checked );
Then jump to the requested page admin/index. aspx.
However, I found that the page was executing response. Redirect ("http://www.QuickResponser.com ");
Oh, myGod !!!!, Depressed (who gave me a correct explanation? QQ: 154222225 mail: root@3ney.com );
5. Do not connect to login. aspx directly. Why? Assume that we log on to login directly. asxp, there is no returnurl parameter for this URL. However, the default value is default. aspx (or index. AXP ....), when the Administrator passes the verification, the page does not directly jump to the default page index of the root directory. aspx.
(If you connect directly, it is also possible to solve the problem by using the above bug)

Refer:
1. ASP. NET advanced programming -- wrax
2. advanced ASP. NET security programming -- wrax
==================================
I hope you can understand this.
Other issues related to form-based verification:
1. Cookie-free Verification
2. verify the data storage method
3. Role-based form verification
.....
Author: caca @ zzu @ qq: 154222225 @ mail: root@3ney.com
==================================