Summary
asp.net Forms authentication allows a user to enter credentials (user name and password) into the Web Form to identify their identity. When these credentials are received, the WEB application can check the credentials against the data source to authenticate the user.
This module describes how to securely store user credentials in SQL Server using password hashing, and how to authenticate users against the account database that is included in SQL Server.
Preliminary knowledge
Storing user credentials securely contains two key concepts:
• Store password summary. For security reasons, do not store passwords in plaintext in the database. This module describes how to create and store a one-way hash of a user's password rather than the password itself. If you want to store an encrypted user password, this is recommended because it avoids key management issues associated with encryption technology.
To increase security and mitigate the threat associated with dictionary attacks, the method described in this module combines salt (the random number generated in encrypted form) with the password before creating a password hash.
• Important The disadvantage of not storing passwords in the database is that once a user forgets the password, it cannot be recovered. As a result, applications should use password hints and store them in the database with the password digest.
• Validate user input. When you pass user input to an SQL command, such as a comparison statement or a string in a pattern-matching statement, you should carefully validate this input to ensure that the final command contains no syntax errors and that the hacker does not cause your application to run arbitrary SQL commands. Validating the supplied user name during the logon process is particularly important because the application's security model depends entirely on the ability to authenticate users correctly and securely.
Create a WEB application that has a login page
This procedure creates a simple Visual C # WEB application that contains a login page where users can enter a user name and password.
To create a WEB application with a login page, follow these steps:
• Start Visual Studio. NET and create a new Visual C # asp.net Web application named Formsauthsql.
• Rename WebForm1.aspx to logon.aspx using Solution Explorer
• Add the controls listed in table 1 to logon.aspx to create a simple login form.
Table 1:logon.aspx Control control type text ID
Label
User Name:
-
Label
Password
-
Text Box
-
txtUserName
Text Box
-
Txtpassword
Button
Register
Btnregister
Button
Logon
Btnlogon
Label
-
Lblmessage
Your Web page should resemble the page shown in Figure 1.
Figure 1. Login Page Web Form
• Set the Txtpassword TextMode property to Password.
Configuring WEB Applications for Forms authentication
This procedure edits the application's Web.config file to configure the application for Forms authentication.
To configure the WEB application for Forms authentication, follow these steps:
1. Open Web.config using Solution Explorer.
2. Navigate to the element and change the Mode property to Forms.
3. Add the following elements as child elements of the element and set the loginurl, name, timeout, and path properties as follows:
Ms Loginurl= "logon.aspx" name= "Sqlauthcookie" timeout= "path="/">
4. The purpose of adding the following elements to the element is to allow only authenticated users to access the application. The Loginurl property of a previously established element redirects an unauthenticated request to a logon.aspx page.
Developing functions that generate hashes and Salt values
This procedure adds two utility methods to the WEB application, one method generates a random salt value, and the other creates a hash based on the supplied password and salt values.
To develop a function that generates a hash and a salt value, follow these steps:
1. Open Logon.aspx.cs and add the following using statement under the existing using statement at the top of the file.
Using System.Security.Cryptography;
Using System.Web.Security;
2. Add the following static methods to the WebForm1 class to generate random salt values and return this value as a Base 64 encoded string.
private static string CreateSalt (int size)
{
Generate a cryptographic random number using the cryptographic
Service Provider
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider ();
byte[] buff = new Byte[size];
Rng. GetBytes (Buff);
Return a Base64 string representation of the random number
return convert.tobase64string (Buff);
}
3. Add the following static methods to generate a hash value based on the supplied password and salt values.
private static string Createpasswordhash (string pwd, string salt)
{
String saltandpwd = String.Concat (pwd, salt);
String hashedpwd =
FormsAuthentication.HashPasswordForStoringInConfigFile (
Saltandpwd, "SHA1");
return hashedpwd;
}
Create a user account database
This procedure creates a new user account database in SQL Server that contains a user table and a stored procedure for querying the user's database.
To create a user account database, do the following:
1. On the Microsoft SQL Server Programs menu, click Query Analyzer, and then connect to local SQL server.
2. Enter the following SQL script. Note that you must replace the "LocalMachine" at the end of this script with your own computer name.