Security knowledge for ASP.net 2.0 programs

Source: Internet
Author: User
Tags mail

The concept of membership is a low level concept in human society, which originates from the consciousness of wanting to belong to a certain group. Similarly, the key concepts of identity, authentication, and authorization must first be understood when the ASP.net 2.0 program begins to develop applications involving membership.

The concept of membership is a low level concept in human society, which originates from the consciousness of wanting to belong to a certain group. We want to feel that we are part of a team and let others know who we are, so the web is catching on to this trend, and adopting this concept is only a matter of time. If you sit down and think about how many sites you've logged in and keep simple user information on these sites, you may find that you have more groups than you initially imagined. From sites selling books and gadgets to discussing the benefits of owning a Ford Puma, or promoting a site called Look Around's BBC TV comedy show, the authors found that they were too many to enumerate. Then there's a familiar difficulty. "which username and password do you want to use to log on to this site?"

One of the most successful sites on the Web, Amazon.com, started out as just a bookstore, but the scope of the back business was growing larger. Now when a user logs on to Amazon, it will find that the entire page is full of items related to the user's consumption habits.

When you begin to develop applications involving membership, you must first understand several key concepts, identity, authentication, and authorization.

1, identity-Who am I

In considering identity, we can describe ourselves with several unique features. For example, I am a blonde woman who likes to watch sci-fi movies and assemble PCs, but this information is not necessary for anyone interested in my badminton skills. The identity information stored in the site is likely to relate only to certain aspects of a person. For example, a shopping site saves the user's name, phone number, e-mail address, and home address, which are related to the sale of the product. They may not care about your personal interests (unless they are as big as Amazon), so they don't need to keep this kind of information about users, but that doesn't prevent them from having identity information about them.

The concept of identity, which I am, is a collection of a wide range of actual situations. You may have written a lot of facts on your resume, but these are also related only to potential employers. What to save and delete in your resume is up to you. The same is true when you save information about a member of a site, and you must determine which facts of the member you want to save at the development stage.

2, authentication-this is me

When attempting to log on to a Web site, the user enters certain certificates. For example, the combination of a mailing address and its password. The site must then determine whether the user is the person it claims to be, so the combination of e-mail addresses and passwords entered by the user must match the specific mailing address and password combination saved in the server file.

The process of authentication is the process of proving that you are the person you claim to be. Many sites, whether they are retail goods or community services, use a combination of e-mail addresses and passwords as an authentication method, a time-tested approach. Although this method is not absolute security, as long as the choice of a reliable password and strict confidentiality, while the site's code through rigorous testing, then the user's profile will only be used by the user himself.

3, authorization--that's what I can do.

After you enter a user name and password to the Web site, the Web server will not only verify that the password and user name match, but also see what permissions the site administrator has granted to the user. The next step after authentication is authorization, which retrieves more information about the type of user account you have.

For example, take a bank website for example. After the user's logon information has been validated, the server will view the user's permissions on that site. Like most users, you can search for accounts, transfer funds between accounts, or pay bills. However, if a bank is threatened with a security threat (similar to phishing (phishing) e-mail that spreads over the Internet), you may find yourself suddenly unable to add any Third-party proxy orders through this online application until the security crisis is lifted. The shutdown of a feature is likely to be controlled by an administrator who sets a special tag for some or all of the users, telling the user on the page that they no longer have permission to modify their account details.

4, Login site

The process of logging on to a site, from the user's point of view, is to enter a set of certificates and then see the process of different user interfaces according to your profile. Typically, the certificate used by the user is a combination of user name plus password; however, for sites with higher security, such as bank sites, you can log in other ways, including pin and security authentication. The basic principle of authentication is the same if you do not consider the method of routing authentication certificates to the server. Once the validation is complete, it is simpler to query the user's permissions through the authentication mechanism.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.