• Like
08 authentication
Upcoming SlideShare
Loading in...5
×

08 authentication

  • 200 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
200
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Authenticationin ASP.NET MVCBest practices for user andgroup management
  • 2. Topics›  The membership and role provider model›  Authorizing action methods›  Best practices
  • 3. The provider model›  ASP.NET has a robust and simple way to handling authentication; The membership and role provider model›  Configured in web.config (ASP.NET Configuration Tool)›  It is highly extensible! Can customize it via some programming›  Much more secure than home-grown ways›  Uses good design patterns›  Abstracts away most user functions
  • 4. Coding with the Provider Model›  All features are simple ...MembershipCreateStatus status;Membership.CreateUser( "dschrute", //username "recyclops", //password "dwight@dundermifflin.com", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status);if (status != MembershipCreateStatus.Success) throw new Exception("Fail!");›  Other features are similarly easy›  Best feature, though is ...›  No programming necessary!
  • 5. To Authenticate a userFormsAuthenticate.SetAuthCookie("ferb", false);!Who am I?User.Identity.Name;!
  • 6. But I have anotherauthentication method inplace. I need to use it!›  No problem. Just create your own class that inherits from MembershipProvider and override the parts you need.
  • 7. Overriding authentication methodsclass MyMembershipProvider : MembershipProvider!{! public override MembershipUser GetUser(string username, ! bool userIsOnline)! {! var a = ExistingMethod.GetUserByUserName(username);! return new MyMembershipUser(a.Id, a.Email);! }!! public override bool ValidateUser(string username, ! string password)! {! return Existing.Valid(username, password); ! }!}!
  • 8. To use your own groups/rolesmethods, override RoleProviderpublic class AccountRoleProvider : RoleProvider!{! public override void AddUsersToRoles(string[] usernames,! string[] roleNames)! {! //Use your existing system to add users to groups;! }! public override string[] GetRolesForUser(string id)! {! return ExistingWay(id);! }! public override bool RoleExists(string roleName)! {! return ExistingDoesRoleExist(roleName);! }!}!
  • 9. One last step; we need to registerour providers in web.config<system.web>! <membership defaultProvider="AccountMembershipProvider">! <providers>! <clear/>! <add name="AccountMembershipProvider"! type="MyProj.AccountMembershipProvider" />! </providers>! </membership>! ! <roleManager enabled="true"! defaultProvider="AccountRoleProvider">! <providers>! <clear/>! <add name="AccountRoleProvider"! type="MyProj.AccountRoleProvider" />! </providers>! </roleManager>!...!</system.web>!
  • 10. Best practices›  Avoid canned questions›  When resetting the password, never email it›  Dont allow the website to "Remember me"›  Turn autocomplete off so the username and/or password cant be pulled from the browser cache›  Use strong passwords
  • 11. Allow the user to set his ownpassword reset question. ›  Never force from a small list ›  Too easy to research ›  High school mascot ›  Mothers maiden name ›  Pets name ›  Birth city ›  Too easy to guess ›  Favorite color
  • 12. Remember me is convenientbut it opens security holes›  Worst option is to save username and password in a cookie›  If you must remember me, do it like Microsofts provider does and store it in a persistent authentication cookie
  • 13. Turn browser caching off› Guessing a username is half the battle› If the form helps the user to fill a username he has a major leg up› And if we do that for a password, that would be horrible› Turn remembering off like this:<form id="f1" autocomplete="off">
  • 14. SometimesOftenUsually ourefforts toincreasesecurity actuallydecrease it
  • 15. Password rules are enforced onbackend› Set in web.config in membership - providers:<add name="AspNetSqlMembershipProvider" type="..."minRequiredPasswordLength="1"minRequiredNonalphanumericCharacters="0"passwordFormat="Hashed"maxInvalidPasswordAttempts="5"passwordStrengthRegularExpression="" />
  • 16. Summary›  Good authentication practices go a long way toward establishing security›  Use a role provider based on Microsofts›  Use Microsofts built-in controls›  Enforce strong passwords, but dont go crazy