08 authentication
Upcoming SlideShare
Loading in...5
×
 

08 authentication

on

  • 512 views

 

Statistics

Views

Total Views
512
Views on SlideShare
512
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

08 authentication 08 authentication Presentation Transcript

  • Authenticationin ASP.NET MVCBest practices for user andgroup management
  • Topics›  The membership and role provider model›  Authorizing action methods›  Best practices
  • The provider model›  ASP.NET has a robust and simple way to handling authentication; The membership and role provider model›  Configured in web.config (ASP.NET Configuration Tool)›  It is highly extensible! Can customize it via some programming›  Much more secure than home-grown ways›  Uses good design patterns›  Abstracts away most user functions
  • Coding with the Provider Model›  All features are simple ...MembershipCreateStatus status;Membership.CreateUser( "dschrute", //username "recyclops", //password "dwight@dundermifflin.com", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status);if (status != MembershipCreateStatus.Success) throw new Exception("Fail!");›  Other features are similarly easy›  Best feature, though is ...›  No programming necessary!
  • To Authenticate a userFormsAuthenticate.SetAuthCookie("ferb", false);!Who am I?User.Identity.Name;!
  • But I have anotherauthentication method inplace. I need to use it!›  No problem. Just create your own class that inherits from MembershipProvider and override the parts you need.
  • Overriding authentication methodsclass MyMembershipProvider : MembershipProvider!{! public override MembershipUser GetUser(string username, ! bool userIsOnline)! {! var a = ExistingMethod.GetUserByUserName(username);! return new MyMembershipUser(a.Id, a.Email);! }!! public override bool ValidateUser(string username, ! string password)! {! return Existing.Valid(username, password); ! }!}!
  • To use your own groups/rolesmethods, override RoleProviderpublic class AccountRoleProvider : RoleProvider!{! public override void AddUsersToRoles(string[] usernames,! string[] roleNames)! {! //Use your existing system to add users to groups;! }! public override string[] GetRolesForUser(string id)! {! return ExistingWay(id);! }! public override bool RoleExists(string roleName)! {! return ExistingDoesRoleExist(roleName);! }!}!
  • One last step; we need to registerour providers in web.config<system.web>! <membership defaultProvider="AccountMembershipProvider">! <providers>! <clear/>! <add name="AccountMembershipProvider"! type="MyProj.AccountMembershipProvider" />! </providers>! </membership>! ! <roleManager enabled="true"! defaultProvider="AccountRoleProvider">! <providers>! <clear/>! <add name="AccountRoleProvider"! type="MyProj.AccountRoleProvider" />! </providers>! </roleManager>!...!</system.web>!
  • Best practices›  Avoid canned questions›  When resetting the password, never email it›  Dont allow the website to "Remember me"›  Turn autocomplete off so the username and/or password cant be pulled from the browser cache›  Use strong passwords
  • Allow the user to set his ownpassword reset question. ›  Never force from a small list ›  Too easy to research ›  High school mascot ›  Mothers maiden name ›  Pets name ›  Birth city ›  Too easy to guess ›  Favorite color
  • Remember me is convenientbut it opens security holes›  Worst option is to save username and password in a cookie›  If you must remember me, do it like Microsofts provider does and store it in a persistent authentication cookie
  • Turn browser caching off› Guessing a username is half the battle› If the form helps the user to fill a username he has a major leg up› And if we do that for a password, that would be horrible› Turn remembering off like this:<form id="f1" autocomplete="off">
  • SometimesOftenUsually ourefforts toincreasesecurity actuallydecrease it
  • Password rules are enforced onbackend› Set in web.config in membership - providers:<add name="AspNetSqlMembershipProvider" type="..."minRequiredPasswordLength="1"minRequiredNonalphanumericCharacters="0"passwordFormat="Hashed"maxInvalidPasswordAttempts="5"passwordStrengthRegularExpression="" />
  • Summary›  Good authentication practices go a long way toward establishing security›  Use a role provider based on Microsofts›  Use Microsofts built-in controls›  Enforce strong passwords, but dont go crazy