08 authentication


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

08 authentication

  1. 1. Authenticationin ASP.NET MVCBest practices for user andgroup management
  2. 2. Topics›  The membership and role provider model›  Authorizing action methods›  Best practices
  3. 3. The provider model›  ASP.NET has a robust and simple way to handling authentication; The membership and role provider model›  Configured in web.config (ASP.NET Configuration Tool)›  It is highly extensible! Can customize it via some programming›  Much more secure than home-grown ways›  Uses good design patterns›  Abstracts away most user functions
  4. 4. Coding with the Provider Model›  All features are simple ...MembershipCreateStatus status;Membership.CreateUser( "dschrute", //username "recyclops", //password "dwight@dundermifflin.com", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status);if (status != MembershipCreateStatus.Success) throw new Exception("Fail!");›  Other features are similarly easy›  Best feature, though is ...›  No programming necessary!
  5. 5. To Authenticate a userFormsAuthenticate.SetAuthCookie("ferb", false);!Who am I?User.Identity.Name;!
  6. 6. But I have anotherauthentication method inplace. I need to use it!›  No problem. Just create your own class that inherits from MembershipProvider and override the parts you need.
  7. 7. Overriding authentication methodsclass MyMembershipProvider : MembershipProvider!{! public override MembershipUser GetUser(string username, ! bool userIsOnline)! {! var a = ExistingMethod.GetUserByUserName(username);! return new MyMembershipUser(a.Id, a.Email);! }!! public override bool ValidateUser(string username, ! string password)! {! return Existing.Valid(username, password); ! }!}!
  8. 8. To use your own groups/rolesmethods, override RoleProviderpublic class AccountRoleProvider : RoleProvider!{! public override void AddUsersToRoles(string[] usernames,! string[] roleNames)! {! //Use your existing system to add users to groups;! }! public override string[] GetRolesForUser(string id)! {! return ExistingWay(id);! }! public override bool RoleExists(string roleName)! {! return ExistingDoesRoleExist(roleName);! }!}!
  9. 9. One last step; we need to registerour providers in web.config<system.web>! <membership defaultProvider="AccountMembershipProvider">! <providers>! <clear/>! <add name="AccountMembershipProvider"! type="MyProj.AccountMembershipProvider" />! </providers>! </membership>! ! <roleManager enabled="true"! defaultProvider="AccountRoleProvider">! <providers>! <clear/>! <add name="AccountRoleProvider"! type="MyProj.AccountRoleProvider" />! </providers>! </roleManager>!...!</system.web>!
  10. 10. Best practices›  Avoid canned questions›  When resetting the password, never email it›  Dont allow the website to "Remember me"›  Turn autocomplete off so the username and/or password cant be pulled from the browser cache›  Use strong passwords
  11. 11. Allow the user to set his ownpassword reset question. ›  Never force from a small list ›  Too easy to research ›  High school mascot ›  Mothers maiden name ›  Pets name ›  Birth city ›  Too easy to guess ›  Favorite color
  12. 12. Remember me is convenientbut it opens security holes›  Worst option is to save username and password in a cookie›  If you must remember me, do it like Microsofts provider does and store it in a persistent authentication cookie
  13. 13. Turn browser caching off› Guessing a username is half the battle› If the form helps the user to fill a username he has a major leg up› And if we do that for a password, that would be horrible› Turn remembering off like this:<form id="f1" autocomplete="off">
  14. 14. SometimesOftenUsually ourefforts toincreasesecurity actuallydecrease it
  15. 15. Password rules are enforced onbackend› Set in web.config in membership - providers:<add name="AspNetSqlMembershipProvider" type="..."minRequiredPasswordLength="1"minRequiredNonalphanumericCharacters="0"passwordFormat="Hashed"maxInvalidPasswordAttempts="5"passwordStrengthRegularExpression="" />
  16. 16. Summary›  Good authentication practices go a long way toward establishing security›  Use a role provider based on Microsofts›  Use Microsofts built-in controls›  Enforce strong passwords, but dont go crazy