Security knowledge of ASP. NET 2.0 programs

The concept of membership is a relatively low level concept in human society, originated from the consciousness of a group. Similarly, when ASP. NET 2.0 programs start to develop applications involving member relationships, they must first understand the key concepts of identity, authentication, and authorization.

The concept of membership is a relatively low level concept in human society, originated from the consciousness of a group. We hope that we can feel that we are part of a team and let others know who we are. Therefore, it is only a matter of time before and after the adoption of this popular Web trend. If you sit down and think about how many sites you have logged on to and saved simple user information on these sites, you may find that your group is much more than you thought at the beginning. From a site that sells books and gadgets to a community that discusses the benefits of having a Ford Puma, or promoting a bbc TV comedy program called Look Around You, the author finds that many websites that he is a member of cannot be listed one by one. Next we will encounter a familiar difficulty: "which user name and password should I use to log on to this site ?"

Amazon.com, one of the most successful websites on the Web, was just a bookstore at the beginning, but its business scope is growing. When you log on to Amazon, you will find that the entire page contains all the items related to the user's consumption habits.

Before developing an application involving member relationships, you must first understand several key concepts: identity, authentication, and authorization.

1. Identity-Who am I?

When considering identity, we can use several unique features to describe ourselves. For example, I am a golden-haired woman who likes to watch sci-fi movies and assemble PCs, but this information is not necessary for anyone interested in my badminton technology. The identity information stored on the website may be related only to some aspects of a person. For example, a shopping site stores the user's name, phone number, email address, and home address, all of which are related to the sale of goods. They may not care about your personal interests (unless they are as large as Amazon), so they do not need to save such information about users, however, this does not prevent them from possessing identity information in these aspects.

Therefore, identity, that is, the concept of who I am, is a collection of a wide range of practical situations. You may have written many actual situations in your resume, but these situations are also relevant only to potential employers. It is up to you to determine the situations for saving and deleting resumes. The same is true when you save information about members of a site. You must determine the actual conditions of the members to be saved during the development phase.

2. Authentication-this is me

When attempting to log on to a website, you must enter some certificates. For example, a combination of email addresses and passwords. The website must determine whether the user is the one he declares. Therefore, the combination of the email address and password entered by the user must match the specific email address and password saved in the Server File.

The process of identity authentication is to prove that you are the person you declare. Many sites, whether they are retail products or provide community services, use a combination of email addresses and passwords for identity authentication. This is a proven method. Although this method is not absolutely secure, as long as you select a reliable password and keep it confidential, and the site code is strictly tested, your configuration files can only be used by the user himself.

3. Authorization-this is what I can do

After entering the user name and password for the website, the Web server will not only verify that the password and user name match, but also view what permissions the site administrator has granted to the user. The next step after authentication is authorization. This step will retrieve more information about your User Account type.

For example, a bank website is used as an example. After the user's login information is verified, the server will view the user's permissions on the site. Like most users, You can query accounts, transfer funds between accounts, or pay bills. However, if a bank is threatened by a security aspect (similar to a phishing email circulating around the Internet ), you may find that you suddenly cannot add any third-party proxy orders through this online application until the security crisis is lifted. The function is probably disabled by the Administrator setting a special flag for some or all users. On the page, the Administrator tells the user that they no longer have the permission to modify the details of their account.

4. log on to the website

The process of logging on to the site, from the user's perspective, is to enter a set of certificates, and then view the process of different user interfaces according to their own configuration files. Generally, the user's certificate is a combination of user name and password. However, for websites with higher security, such as bank sites, you can use other methods to log on, including PIN and security authentication. If you do not consider transferring an authentication certificate to the server, the basic principles of identity authentication are the same. Once the authentication is complete, it is easy to use the authentication mechanism to query what permissions the user has.