Your SlideShare is downloading. ×
08 authentication
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

08 authentication


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Authenticationin ASP.NET MVCBest practices for user andgroup management
  • 2. Topics›  The membership and role provider model›  Authorizing action methods›  Best practices
  • 3. The provider model›  ASP.NET has a robust and simple way to handling authentication; The membership and role provider model›  Configured in web.config (ASP.NET Configuration Tool)›  It is highly extensible! Can customize it via some programming›  Much more secure than home-grown ways›  Uses good design patterns›  Abstracts away most user functions
  • 4. Coding with the Provider Model›  All features are simple ...MembershipCreateStatus status;Membership.CreateUser( "dschrute", //username "recyclops", //password "", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status);if (status != MembershipCreateStatus.Success) throw new Exception("Fail!");›  Other features are similarly easy›  Best feature, though is ...›  No programming necessary!
  • 5. To Authenticate a userFormsAuthenticate.SetAuthCookie("ferb", false);!Who am I?User.Identity.Name;!
  • 6. But I have anotherauthentication method inplace. I need to use it!›  No problem. Just create your own class that inherits from MembershipProvider and override the parts you need.
  • 7. Overriding authentication methodsclass MyMembershipProvider : MembershipProvider!{! public override MembershipUser GetUser(string username, ! bool userIsOnline)! {! var a = ExistingMethod.GetUserByUserName(username);! return new MyMembershipUser(a.Id, a.Email);! }!! public override bool ValidateUser(string username, ! string password)! {! return Existing.Valid(username, password); ! }!}!
  • 8. To use your own groups/rolesmethods, override RoleProviderpublic class AccountRoleProvider : RoleProvider!{! public override void AddUsersToRoles(string[] usernames,! string[] roleNames)! {! //Use your existing system to add users to groups;! }! public override string[] GetRolesForUser(string id)! {! return ExistingWay(id);! }! public override bool RoleExists(string roleName)! {! return ExistingDoesRoleExist(roleName);! }!}!
  • 9. One last step; we need to registerour providers in web.config<system.web>! <membership defaultProvider="AccountMembershipProvider">! <providers>! <clear/>! <add name="AccountMembershipProvider"! type="MyProj.AccountMembershipProvider" />! </providers>! </membership>! ! <roleManager enabled="true"! defaultProvider="AccountRoleProvider">! <providers>! <clear/>! <add name="AccountRoleProvider"! type="MyProj.AccountRoleProvider" />! </providers>! </roleManager>!...!</system.web>!
  • 10. Best practices›  Avoid canned questions›  When resetting the password, never email it›  Dont allow the website to "Remember me"›  Turn autocomplete off so the username and/or password cant be pulled from the browser cache›  Use strong passwords
  • 11. Allow the user to set his ownpassword reset question. ›  Never force from a small list ›  Too easy to research ›  High school mascot ›  Mothers maiden name ›  Pets name ›  Birth city ›  Too easy to guess ›  Favorite color
  • 12. Remember me is convenientbut it opens security holes›  Worst option is to save username and password in a cookie›  If you must remember me, do it like Microsofts provider does and store it in a persistent authentication cookie
  • 13. Turn browser caching off› Guessing a username is half the battle› If the form helps the user to fill a username he has a major leg up› And if we do that for a password, that would be horrible› Turn remembering off like this:<form id="f1" autocomplete="off">
  • 14. SometimesOftenUsually ourefforts toincreasesecurity actuallydecrease it
  • 15. Password rules are enforced onbackend› Set in web.config in membership - providers:<add name="AspNetSqlMembershipProvider" type="..."minRequiredPasswordLength="1"minRequiredNonalphanumericCharacters="0"passwordFormat="Hashed"maxInvalidPasswordAttempts="5"passwordStrengthRegularExpression="" />
  • 16. Summary›  Good authentication practices go a long way toward establishing security›  Use a role provider based on Microsofts›  Use Microsofts built-in controls›  Enforce strong passwords, but dont go crazy