Secure Code Guidelines Never trust user input Never use string concatenation in creating SQL statements Never output data entered by user directly on webpage before validating and encoding it. Protect your cookies Never store sensitive data in the viewstate or in hidden fields on the page.
ASP.NET security Authentication ◦ Discovering user identity and ensuring authenticity of identity Form Authentication Windows Authentication Custom Authentication Authorization ◦ Determining the rights and restrictions assigned to an authenticated user. Impersonation ◦ Executing code on behalf of another user’s identity role-based authorization
Windows Authentication Requires that you set up a Windows user account for each user you want to authenticate. This is obviously a problem if you want to serve a large number of users or if you want to register users programmatically. It also doesn’t allow you to store additional information about users.
Form Authentication A ticket-based (also called token- based) system. Based on: ◦ A login page to validate users by a user name and password. ◦ A mechanism for preserving and reestablishing the security context on each request using security cookies. The user logs in only once.
Form Authentication and SecureCookies Encrypts its authentication information Attaches a hash code Validates the cookies at the server to verify that no changes have been made. No custom security code is needed.
Implementing Forms Authentication and Authorization1. Configure forms authentication in the web.config file.2. Create the data store3. Configuring Membership Provider4. Configuring Roles Provider5. Configuring authorization rules
1. Configure formsauthentication in the web.configfile.
2. Creating the Data StoreIn Visual Studio command prompt:Or just aspnet_regsql to start the wizard
Using Membership Class The ability to create and delete users programmatically or by ASP.NET web configuration utility. The ability to reset passwords, and automatically sending password reset e-mails. The ability to automatically generate passwords for users if these users are created programmatically in the background and sending them in emails. The ability to find users as well as retrieve lists of users and details for every user., and enable tasks as assigning users to roles. A set of prebuilt controls for creating login pages and registration pages and for displaying login states and different views for authenticated and unauthenticated users.
Using Membership Class Membership.GetAllUsers() Membership.UpdateUser(Membership User user) Membership.CreateUser(string us, string pass) More in pages 926-931 in Pro ASP.NET 4 in C#
Getting info on Current User Page.User for the current logged in user in the current Page Can be accessed through HttpContext.Current.User in code classes
To implement Profiles1. Create the profile tables.2. In web.config: 1. Configure the profile provider. 2. Define some profile properties.3. Use the profile properties in your web-page code.Note: authentication must be enabledfor a portion of your website.
Profiles in the Page LifeCycle The first time you access the Profile object retrieves the complete profile data for the current user. On changing any profile data the update is done after Unload events have fired If no changes no extra db work
Report #5 How to add Custom Data Types (User-defined classes) to Profile?
Lab #5 Add the following pages: ◦ Login.aspx ◦ RecoverPassword.aspx (accessed by logged in users only) ◦ ChangePassword.aspx ◦ Admin/manage.aspx a grid with all users Create the following Roles ◦ Admin (has access to Admin folder) ◦ Customer(has access to Customer folder) Create 3 masterpages (one for each folder and one on root) Add LoginName and LoginStatus controls to all master pages
Lab #5 In Home.aspx ◦ Add a LoginView that presents hyperlinks to all available pages according to the user group In register.aspx ◦ Add password, confirmpassword and email controls, don’t forget to validate them. ◦ When adding a new customer, create a user for each customer and add it to the customer role ◦ Add preferences and download type to profile In books.aspx
Reading Assignment #5 Cryptography: Read from Pro ASP.NET 4 pages 1029-1059
REFERENCES  Beginning ASP.NET 4 In C# 2010, Matthew Macdonald, Apress  Web Application Architecture Principles, Protocols And Practices, Leon Shklar And Richard Rosen, Wiley  Professional AS P.NE T 4 In C# And VB, Bill Evjen, Scott Hanselman And Devin Rader, Wiley  Pro ASP.NET In C# 2010, Fourth Edition,matthew Macdonald, Adam Freeman, And Mario Szpuszta, Apress