Implementation of ASP. NET security Identity Authentication

The. NET platform and its ASP + provide powerful development functions for each Program The preference for a language should not affect the selection of the most efficient development tools. At present, ASP + does provide many functions that cannot be compared with JSP.
When using ASP +, you will truly feel free to use the language. During programming, you can see all the compilation information for languages such as C # In ASP + pages on the webpage, moreover, using dozens of powerful server-side controls provided by ASP +, almost all the functions previously implemented by the client rad development tool can be achieved, and ASP + can be directly and conveniently used. net XML technology, using a few simple functions can replace some databases with XML or exchange information with other programs.
In the future, more and more languages will support ASP + development, while the American subsidiary of Fujitsu has released COBOL for. net, so that COBOL can also develop ASP + applications. The only pity is that ASP + cannot run on other platforms except Windows, but this is exactly what. NET is doing.
Based on the above advantages, more and more web applications will be developed using ASP +. When implementing e-commerce and other applications, you must pay attention to various security issues, this issue involves many aspects such as the operating system, network management, and program security. This article will introduce how to use ASP + configuration and program for security authentication.
ASP + Configuration
The configuration method of ASP + is special. It uses config. you can use the notepad or XML editor to conveniently modify the content of an XML file. The specified setting method is to inherit sub-directories or overwrite the configuration settings obtained from the parent directory, that is to say, a config is put under the root directory. in the Web file, any directory at the next level will automatically inherit the configuration in this file. If another configuration is required for a subdirectory, we can create another config. put the web in this subdirectory. This configuration management method is extremely advantageous for installing your applications, modifying configurations, and managing security.
ASP + provides three main authentication methods: Windows, cookie, and passport. Windows is the security management method of windows, you can set Windows users, IIS, and other permissions to ensure security. For some large applications, using this method is complicated and cumbersome. The passport method is convenient and secure. You can use only one user name and password to access any member site. When you log out and exit, all passport-related information will be cleared, you can use it in public places with confidence that passport is suitable for Internet applications. In enterprise-level applications, some network management technologies such as Cookie and SSL and IP address restrictions can also achieve certain security.
The following describes how to configure cookies:
You need to create a Config for the following content. web, and place it under c: \ Inetpub \ wwwroot \ (default IIS directory. web, generally in \ winnt \ Microsoft. net \ framework \ v... directory.
<Configuration>
<Security>
<Authentication mode = "cookie">
<Cookie decryptionkey = "autogenerate" loginurl = "/login. aspx" Cookie = ". aspxauth"/>
</Authentication>
<Authorization>
<Deny users = "? "/>
</Authorization>
</Security>
</Configuration>
The configuration file is declared as a cookie. When you access the aspx file in this directory and Its subdirectories, if you do not have an authenticated cookie, it will be redirected to login. aspx. If you need a directory that does not require identity authentication (the application can be applied by the user), you can create the following config. Web and put it in the directory:
<Configuration>
<Security>
<Authorization>
<Allow users = "*"/>
</Authorization>
</Security>
</Configuration>

Program Design
You need to create the default. aspx and login. aspx ASP + programs under the root directory.
The content of the login. aspx program is as follows:

<% @ Import namespace = "system. Web. Security" %>
<% @ Import namespace = "system. Data" %>
<% @ Import namespace = "system. Data. Ado" %>
<HTML>
<Head>
<Title> login </title>
<Script language = "C #" runat = server DEBUG = "true">
Void login_click (Object sender, eventargs e ){
If (page. isvalid)
{Adodatareader Dr;
// Connect to the database. Put the user name and password in the users table of the qcdb database connected to ODBC
Adoconnection Cn = new adoconnection ("DSN = qcdb ");
CN. open ();
Adocommand export question = new adocommand ("select password from users where name =" "+ yourname. Text +", CN );
// Select the user information
Explain question. Execute (out Dr );
// Create a datareader to obtain the SQL result
If (dr. Read () // obtain the corresponding first row of data
If (Dr ["password"]. tostring () = password. Text)
Cookieauthentication. redirectfromloginpage (yourname. Text, abidingcookie. Checked );
Else // The preceding statement generates a cookie. If you select abidingcookie, the cookie is permanently saved.
MSG. Text = "Incorrect password ";
Else
MSG. Text = "the user name does not exist ";
}
}
</SCRIPT>
</Head> <center> <body>
<Asp: Label id = "MSG" forecolor = "red" font-name = "verdana ";
Font-size = "18" runat = server/>
<Form runat = Server>
<Table> <tr> <TD> <asp: Label text = "username:" runat = server/> </TD>
<TD> <asp: textbox id = "yourname" runat = server/> </TD>
</Tr> <TD> <asp: Label text = "Password:" runat = server/> </TD>
<TD> <asp: textbox id = "password" textmode = "password" runat = server/> </TD>
<TD> <asp: button id = "btnlogin" text = "OK" onclick = "login_click" runat = server/> </TD>
<TD> </tr> <TD> you do not need to enter a password next time </TD>
<TD> <asp: checkbox id = abidingcookie runat = "server"/> </TD>
<TD> </tr> </table>
</Form> </TD> <TD width = "283" Height = "1" bgcolor = "# f0f0f0"> </TD>
</Tr> </table> </center> </div> <p> </P> </body>
</Html>
The content of the default. aspx program is as follows:
<% @ Page Language = "C #" %>
<HTML> <SCRIPT runat = Server>
Private void page_load (Object SRC, eventargs E)
{Welcome. innerhtml = "Congratulations on your authentication" + context. User. Identity. Name;
} Private void signout_click (Object sender, eventargs E)
{Cookieauthentication. signout ();
// Press the signout button to clear the original cookie
Response. Redirect ("login. aspx ");
// Ask the user to re-enter the new user name and password
}
</SCRIPT> <body> <center>
<H3> <font face = "verdana">. Net authentication system prompts you </font> <Span id = "welcome" runat = server/> <form runat = Server>
<Input type = "Submit" onserverclick = "signout_click" value = "cancel this logon identity" runat = "server"/> <p>
</Form> <p> <a href = "/adduser/"> enter the Management Room </a> </P> </center> </body> When an unauthenticated user browses your website. when the aspx file is used (note that cookie authentication only applies. aspx file), the system finds that the user does not have a cookie, so it is redirected to login. aspx. After the user enters the correct user name and password, the system generates a cookie for the user and immediately redirects it to the one the user wants to browse. aspx file and execute it. By default, it is directed to default. aspx, the default provided above. aspx prompts that you have passed identity authentication.
Summary
Because we use session to track specific Web browser information during application access or session, HTTP requests with corresponding cookies are considered to be from the same web browser, therefore, to prevent users from Illegally intercepting cookie information using methods such as Sniffer, you need to consider using SSL or other secure communication link encryption methods.
For the above program, you can easily add the user IP address information in the table to verify the intranet user. Cookie is like an ID card. To prevent unauthorized use of your cookie, you should clear the cookie along with the closure of the browser.
In short, the cookie authentication method combined with various encryption methods and the complete security configuration of the operating system can provide sufficient support for most applications requiring security authentication.