Security Topic In Asp.net with Web.Config file

Web server security:

• Authentication: user validation
• 
  
• Basic authentication.(user name and passwords are stored in clear text, no encryption)
• Digous authentication (recommended authentication and by default provided, encrypted user name and passwords are stored
• Window integrated authentication
• Authorization : access permissions to user
• Read write authorization

Types of authentication in our application

• Windows (by default)
• Form authentication (customized authentication)
• Passport authentication(single signin can be used in (for login) multiple passport enable sites)
• None

Practical (form authentication)

Add new web site:

Web config:

“abc” is the name of the cookie

Add new page (login.aspx)

Design:

User name: textbox1

Password: textbox2

Login(button)

Login()

{

If(Textbox1.text==”abc” && textbox2.text=”xyz”)

{

Response.write(“login”);

Formsauthentication.redirectfromloginpage(textbox1.text,false)

//true: write in permanent

//cookie and false writes in temporary cookie

}

Else
{

Response.write(“wrong user password”);

}

}

Redirectfromloginpage: write user name to cookie and redirect to default.aspx page

Default.aspx:

Design;

Label

Code:

Pageload:

If(user.identity.isauthenticated) //user is a global object, it returns a boolean

{

Label1.text= “welcome” + user.identity.name; // returns the name of the user

}

Else

{

Formsauthenticaton.redirecttologinpage(); // it picks the login page from webconfig

//Response.redirect(“login.aspx”);

}

Note : default.aspx page cant be open with out login

If no of users are very less (ex 4 user) we can create users in web config. No need to create tables.

Web config:

(means user, *sha1,md5 are the encryption algos)

Login.aspx:

Design :

Add one more button2;

Button2()

{

If (formauthentication.authenticate(textbox1.text, textbox2.text))

//authenticate checks user from webconfig

{

Formsauthentication.redirctfromloginpage(textbox1.text,false);

}

Else

{

Response.write(“wrong user password”);

}

}

----------XXXXXXXXXXXXX-------------------

Authorization:

Like admin can access only default.aspx

Admin1 can access only default2.aspx

Admin2 can access only default3.aspx

Add 3 webpages

Web config:

(“?” anonymous users unauthenticated users are denied” * all users)

Ccontinue

Button ()

{

If(formauthenticate.authenticat(textbox1.text,textbox2.text)

{

Formauthenticaton.redirectfromloginpage(textbox1.text,false);

}

Else

{

Response.write(“wrong user/password’);

}

}

To go user defined page on formauthentication.redirectfromloginpage:

In web config file:

< ………… loginurl:=”frmlogin.aspx” defaulturl=”frmwel.asox”>

Redirectfromloginpage write user name to cookie and redirect to defaulturl. If the defaulturl is empty then redirects to default.aspx

To show welcome msg on default.aspx

Default.aspx:

Label:

Code:

If(user.identity.isauthenticated)

{

Label1.text=”welcome”+user.identity.name;

}

Else

{

Formauthentication.redirecttologinpage();

}

Same as yesterday:

Add 3 pages

Authorization:

Same with other pages for other users

Design default.aspx

navigateurl

Hyperlink1 : default1.aspx

Hyperlink2 default2.aspx

Hyperlink3 default3.aspx