Your SlideShare is downloading. ×
08 authentication
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

08 authentication


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Authenticationin ASP.NET MVCBest practices for user andgroup management
  • 2. Topics›  The membership and role provider model›  Authorizing action methods›  Best practices
  • 3. The provider model›  ASP.NET has a robust and simple way to handling authentication; The membership and role provider model›  Configured in web.config (ASP.NET Configuration Tool)›  It is highly extensible! Can customize it via some programming›  Much more secure than home-grown ways›  Uses good design patterns›  Abstracts away most user functions
  • 4. Coding with the Provider Model›  All features are simple ...MembershipCreateStatus status;Membership.CreateUser( "dschrute", //username "recyclops", //password "", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status);if (status != MembershipCreateStatus.Success) throw new Exception("Fail!");›  Other features are similarly easy›  Best feature, though is ...›  No programming necessary!
  • 5. To Authenticate a userFormsAuthenticate.SetAuthCookie("ferb", false);!Who am I?User.Identity.Name;!
  • 6. But I have anotherauthentication method inplace. I need to use it!›  No problem. Just create your own class that inherits from MembershipProvider and override the parts you need.
  • 7. Overriding authentication methodsclass MyMembershipProvider : MembershipProvider!{! public override MembershipUser GetUser(string username, ! bool userIsOnline)! {! var a = ExistingMethod.GetUserByUserName(username);! return new MyMembershipUser(a.Id, a.Email);! }!! public override bool ValidateUser(string username, ! string password)! {! return Existing.Valid(username, password); ! }!}!
  • 8. To use your own groups/rolesmethods, override RoleProviderpublic class AccountRoleProvider : RoleProvider!{! public override void AddUsersToRoles(string[] usernames,! string[] roleNames)! {! //Use your existing system to add users to groups;! }! public override string[] GetRolesForUser(string id)! {! return ExistingWay(id);! }! public override bool RoleExists(string roleName)! {! return ExistingDoesRoleExist(roleName);! }!}!
  • 9. One last step; we need to registerour providers in web.config<system.web>! <membership defaultProvider="AccountMembershipProvider">! <providers>! <clear/>! <add name="AccountMembershipProvider"! type="MyProj.AccountMembershipProvider" />! </providers>! </membership>! ! <roleManager enabled="true"! defaultProvider="AccountRoleProvider">! <providers>! <clear/>! <add name="AccountRoleProvider"! type="MyProj.AccountRoleProvider" />! </providers>! </roleManager>!...!</system.web>!
  • 10. Best practices›  Avoid canned questions›  When resetting the password, never email it›  Dont allow the website to "Remember me"›  Turn autocomplete off so the username and/or password cant be pulled from the browser cache›  Use strong passwords
  • 11. Allow the user to set his ownpassword reset question. ›  Never force from a small list ›  Too easy to research ›  High school mascot ›  Mothers maiden name ›  Pets name ›  Birth city ›  Too easy to guess ›  Favorite color
  • 12. Remember me is convenientbut it opens security holes›  Worst option is to save username and password in a cookie›  If you must remember me, do it like Microsofts provider does and store it in a persistent authentication cookie
  • 13. Turn browser caching off› Guessing a username is half the battle› If the form helps the user to fill a username he has a major leg up› And if we do that for a password, that would be horrible› Turn remembering off like this:<form id="f1" autocomplete="off">
  • 14. SometimesOftenUsually ourefforts toincreasesecurity actuallydecrease it
  • 15. Password rules are enforced onbackend› Set in web.config in membership - providers:<add name="AspNetSqlMembershipProvider" type="..."minRequiredPasswordLength="1"minRequiredNonalphanumericCharacters="0"passwordFormat="Hashed"maxInvalidPasswordAttempts="5"passwordStrengthRegularExpression="" />
  • 16. Summary›  Good authentication practices go a long way toward establishing security›  Use a role provider based on Microsofts›  Use Microsofts built-in controls›  Enforce strong passwords, but dont go crazy