Security Topic In Asp.net with Web.Config file

Web server security:

• Authentication: user validation
• 
  
• Basic authentication.(user name and passwords are stored in clear text, no encryption)
• Digous authentication (recommended authentication and by default provided, encrypted user name and passwords are stored
• Window integrated authentication
• Authorization : access permissions to user
• Read write authorization

Types of authentication in our application

• Windows (by default)
• Form authentication (customized authentication)
• Passport authentication(single signin can be used in (for login) multiple passport enable sites)
• None

Practical (form authentication)

Add new web site:

Web config:

“abc” is the name of the cookie

Add new page (login.aspx)

Design:

User name: textbox1

Password: textbox2

Login(button)

Login()

{

If(Textbox1.text==”abc” && textbox2.text=”xyz”)

{

Response.write(“login”);

Formsauthentication.redirectfromloginpage(textbox1.text,false)

//true: write in permanent

//cookie and false writes in temporary cookie

}

Else
{

Response.write(“wrong user password”);

}

}

Redirectfromloginpage: write user name to cookie and redirect to default.aspx page

Default.aspx:

Design;

Label

Code:

Pageload:

If(user.identity.isauthenticated) //user is a global object, it returns a boolean

{

Label1.text= “welcome” + user.identity.name; // returns the name of the user

}

Else

{

Formsauthenticaton.redirecttologinpage(); // it picks the login page from webconfig

//Response.redirect(“login.aspx”);

}

Note : default.aspx page cant be open with out login

If no of users are very less (ex 4 user) we can create users in web config. No need to create tables.

Web config:

(means user, *sha1,md5 are the encryption algos)

Login.aspx:

Design :

Add one more button2;

Button2()

{

If (formauthentication.authenticate(textbox1.text, textbox2.text))

//authenticate checks user from webconfig

{

Formsauthentication.redirctfromloginpage(textbox1.text,false);

}

Else

{

Response.write(“wrong user password”);

}

}

----------XXXXXXXXXXXXX-------------------

Authorization:

Like admin can access only default.aspx

Admin1 can access only default2.aspx

Admin2 can access only default3.aspx

Add 3 webpages

Web config:

(“?” anonymous users unauthenticated users are denied” * all users)

Ccontinue

Button ()

{

If(formauthenticate.authenticat(textbox1.text,textbox2.text)

{

Formauthenticaton.redirectfromloginpage(textbox1.text,false);

}

Else

{

Response.write(“wrong user/password’);

}

}

To go user defined page on formauthentication.redirectfromloginpage:

In web config file:

< ………… loginurl:=”frmlogin.aspx” defaulturl=”frmwel.asox”>

Redirectfromloginpage write user name to cookie and redirect to defaulturl. If the defaulturl is empty then redirects to default.aspx

To show welcome msg on default.aspx

Default.aspx:

Label:

Code:

If(user.identity.isauthenticated)

{

Label1.text=”welcome”+user.identity.name;

}

Else

{

Formauthentication.redirecttologinpage();

}

Same as yesterday:

Add 3 pages

Authorization:

Same with other pages for other users

Design default.aspx

navigateurl

Hyperlink1 : default1.aspx

Hyperlink2 default2.aspx

Hyperlink3 default3.aspx

Developer's Life 2010

Building a task pane and displaying it within Outlook is easy but as I mentioned in Part 1, there are a couple of problems:

1. Managing the multiple Task Pane instances, attaching to the Explorer and Inspector windows, and destroying each task pane when its Explorer or Inspector windows closes can be a pain.
2. The task pane you build does not come with an “collapse” button. You know, the button with a couple of chevrons pointing in the direction it will collapse? You have to add this functionality yourself. It can be done but there are easier methods.

This brings me back to the point of this series, tool takes care of Issue #1 and. Issue #2. Yes, ADX costs a few bucks but it’s a time-saver and it reduces development effort. Either one of those is typically reason enough for me to purchase a tool (especially if the client is paying for it).

Developer's Life 2010