Reference implementation of ASP. NET 2.0 Internet Security

[Source: J. D. Meier's Blog]

Microsoft has just launched an ASP. NET 2.0 Internet Security Reference Implementation (ASP. NET 2.0 Internet Security Reference Implementation ). This is a sample application with all encoding and guidance documents. Its purpose is to demonstrate how to apply the best practices in the "Security Wizard of patterns and practices" in practical applications. This application has evolved from Pet Shop 4 to apply to the Internet. This application uses form authentication. User and role data are stored in the SQL database.

This application can be downloaded from its official website:

ASP_NET 2_0 Internet Security Reference Implementation: Home
Http://www.gotdotnet.com/codegallery/codegallery.aspx? Id = 48f35de8-cd92-4ac6-9144-12d5a13f22ff [link not found]

The downloaded content includes three parts:
1. VS 2005 scheme and encoding
2. Guidance Document for Internet security reference implementation
3. Scenario (Scenario) and solution documentation

In the guidance document for security reference implementation, the design decisions involved include the following categories:
1. Authentication
2. Authorization
3. Input and data verification
4. Data Access
5. Exception management
6. Sensitive Data)
7. Auditing and Logging)

Detailed design decisions are listed in each category. For example, for authentication, the decisions to be made include
1. Use Form Authentication
2. Use the SQL member provider
3. Use SSL to protect authentication information and authenticate cookies
4. Do not directly store plaintext passwords
5. Enforce the use of secure passwords
6. Protect access to identity authentication information storage
7. Non-long-time authentication cookies
8. Set HttpOnly on cookies for authentication
9. Use a unique cookie name and Path

List each decision in detail
1. How is it implemented?
2. The reason for doing so
3. Benefits
4. Disadvantages
5. Related Resources

There are many aspects involved and the content is very comprehensive. It is a good example of learning to design/implement secure Web applications.

Summary of Asp. Net security verification

 

1. windows-based security verification
Web. config file:
<Configuration>
<System. web>
<Authentication mode = "Windows"/>
<Identity impersonate = "true"/>
<Authorization>
<Allow roles = "BUILTIN \ groupname" users = "computername \ UserName, computername \ UserName"/>
<Deny users = "*"/>
</Authorization>
</System. web>
</Configuration>
The. aspx file can be verified without any code, but the login user information can be obtained in the. aspx file.
You need to import the namespace: System. Security. Principal
If (User. Identity. IsAuthenticated) // you can check whether the User is authenticated.
{
WindowsIdentity objWinIdentity = WindowsIdentity. GetCurrent ();
LblHelloMsg. text = "the name:" + objWinIdentity. name + "<br> Type:" + objWinIdentity. authenticationType + "IsInRole:" + User. isInRole ("computername \ groupname ");
}

2. web. config forms-based verification
Web. config file:
<Configuration>
<System. web>
<Authentication mode = "Forms">
<Forms name = "MyApp" path = "/" loginUrl = "login. aspx"
Protection = "All" timeout = "30">
<Credentials passwordFormat = "Clear">
<User name = "kwk" password = "test"/>
<User name = "ljx" password = "test"/>
</Credentials>
</Forms>
</Authentication>

<Authorization>
<Allow users = "kwk, ljx"/>
<Deny users = "? "/>
</Authorization>
</System. web>
</Configuration>
Login. aspx file: You need to provide two text boxes to fill in the user and password (txtUsr, txtPwd), one single worker to determine whether to save permanently
The code for responding to a button is as follows:
Void DoLogin (Object sender, EventArgs e)
{
If (FormsAuthentication. Authenticate (txtUsr. Value, txtPwd. Value ))
{
FormsAuthentication. RedirectFromLoginPage (txtUsr. Value, chkPersist. Checked );
}
Else
// Set for code integrity. You can leave it empty.
{
Response. Write ("authentication fails ");
}
}
On other pages, you can obtain the value of the login user:
If (User. Identity. IsAuthenticated) // you do not need to determine
{
Response. Write ("your name:" + User. Identity. Name );
Response. Write ("Verification type:" + User. Identity. AuthenticationType); // forms, windows, etc.
}

3. Authentication Based on Custom forms
Web. config file (basically no settings are required ):
<System. web>
<Authentication mode = "Forms">
<Forms name = "MyApp" path = "/" loginUrl = "custom-login.aspx"
Protection = "All" timeout = "30">
</Forms>
</Authentication>

<Authorization>
<Deny users = "? "/>
</Authorization>
</System. web>
Custom-login.aspx files, the basic principle is the same as 2 said, such:
If (blnIsAuthenticated) // note that this blnIsAuthenticated is a self-defined variable.
// When we compare user input information with database (or xml) information, this variable is set to true if it exists, and false if it is false.
// This is different from 2
{
FormsAuthentication. RedirectFromLoginPage (txtUsr. Value, chkPersist. Checked );
// TxtUsr and chkPersist are textbox and checkbox controls, respectively.
}
Else
{
// Verification failure prompt information
}
The rest is like Obtaining user information on other pages, such as 2.

4. log out
Code for responding to the Logout button:
FormsAuthentication. SignOut ();
Response. Clear ();
Response. Redirect (Request. UrlReferrer. ToString (); // Redirect to the previous page