1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ASP.NET Application Security

Discussion in 'ASP.NET' started by MinalS, Sep 29, 2015.

  1. ASP.NET along with the .NET framework and IIS helps user with the application security. For implementing security, the web site must follow the following functions.
    1. Authentication: The identity and authenticity of the user is defined. The credentials are obtained by the application and are validated against the authority. The authentication can be forms, windows, passport or custom.
    2. Authorization: The permissions are assigned according to the user roles.
    3. Integrity: The integrity of the data is maintained.
    4. Confidentiality: The channel between the client and the server is encrypted.
    Forms based authentication

    In forms based authentication, the users are authenticated using the code. The authentication token or a cookie or URL of the page is used for maintaining it. The FormsAuthentication class is used for authenticating the forms.

    User needs to create a login page and collect the credentials from the user and add the code to authenticate the credentials. The web.config file is used to add the login page and the corresponding code.

    In the configuration file, add the following code.

        <authentication mode = "Forms">
            <forms loginUrl = "login.aspx" />
            <deny users = "?" />
    In the login.aspx page, add the following code snippet for the user authentication.

    protected bool authenticate ( String username, String password)
        if ( username = = "Sam")
            if ( password == "Sam987")
            return true;
    if ( username == "Peter")
        if ( password == "Peter123")
            return true;
    return false;
    public void onlogin ( Object src, EventArgs e)
        if ( authenticate ( textbox1.Text, textbox2.Text )
            FormsAuthentication.RedirectFromLoginPage ( textbox1.Text, checkbox1.Checked);
            Response.Write("Not valid credentials");
    There are various attributes used for the Forms based authentication in ASP.NET. Some of them are as listed below:
    1. defaultUrl: The default URL for redirecting the request to the successful web page is defined.
    2. cookieless: The forms authentication cookie is saved in either a cookie, URL or a cookie- less representation
    3. domain: The Domain property on the HttpCookie consisting of the ticket data is defined
    4. path: The path for the issued cookie is described
    5. protection: The cookie data is protected by different methods. The values that cane be added as parameter are:
      • All: The data validation and encryption is used
      • Encryption: The cookie is encrypted using DES, AES, and TripleDES.
      • Validation: The cookie data is validated but not encrypted
      • None: The validation and encryption of the data is disabled
    6. requireSSL: The forms authentication is used to set the secure bit in the form of authentication cookie.
    7. timeout: The time in minutes after which the expiration of the cookie expires.
    8. slidingExpiration: The authentication updates the time to be alive if the value is set to true.
    9. loginUrl: The URL to which the request is redirected by the unauthenticated users is defined.
    IIS Authentication

    In distributed applications, user needs to find the clients and control the retrieval of the resource. In ASP.NET, Internet Information Services ( IIS ) provides schema for authentication.

    The authentication schemes provided by IIS are as mentioned below:
    1. Basic
    2. Digest
    3. Anonymous
    4. Integrated windows authentication
    5. Client Services Configuration

    1. Basic

    The basic authentication is implemented using the IIS. In this authentication, the browser provides the user with the login credentials. The HTTP is used for transferring when it is encoded using Base64 encoding.

    The Base64 data is encoded by using a plain text. The authentication scheme is used with the combination with the SSL for encrypting the HTTP session.

    Advantages of basic authentication
    1. User can authenticate using the proxy server
    2. The individual users can be easily tracked
    3. It is widely used for data authentication
    4. The logon rights for the web server using the user accounts
    Disadvantages of basic authentication

    Windows accounts is created for an individual user

    In the web.config file, add the following code for authentication.

        <authentication mode = "Windows" />

    2. Digest

    In digest authentication, the hash code is sent over the network. It is a fixed size value by adding a mathematical function for accessing the data. The size of data depends on the level of encryption.

    The IIS provides a challenge to the client for creating a digest and sent to the server. The password is concatenated with the data known by the client and the server. The digest algorithm is provided to the combined data. The client forwards the data as the response to the web server.

    Advantages of digest authentication
    1. The digest is sent instead of the password
    2. The SSL layer protection is not required
    3. Used with proxy and firewalls
    Disadvantages of digest authentication
    1. The security credentials cannot be delegated
    2. The domain accounts are every user in the Active Directory
    3. The passwords are saved as clear text using encryption

    3. Anonymous

    The authentication provides user access the public section of the web sites. The login credentials are not required. The stored credentials to Windows using the specific user account. The IIS is useful for controlling the account. The password is validated using DLL and provides validation information to Windows.

    Benefits of anonymous authentication
    1. Individual user accounts are not managed
    2. The network resources can be easily accessed if the password is not controlled by IIS
    Disadvantages of anonymous authentication
    1. The client is not individually authenticated
    2. There is local logon ability if the IIS does not control the password

    4. Integrated windows authentication

    The Integrated Windows authentication is also known as Windows NT Challenge. It uses Keberos V5 authentication. The authentication is very useful in intranet. The users in intranet have windows domain accounts.

    1. The security credentials are enabled using the authentication
    2. Useful when there is intranet system
    1. The firewall or proxy is not authenticated
    2. Provides support to the Internet Explorer versions
    3. Support is not provided to the different servers

    5. Client Services Configuration

    The data about entity and its public key is provided by the user. The Certificate Authority provides a certificate once it is verified by the CA. The user account notation is provided by the operating system. A single or multiple certificate can be associated by certificate mapping. The IIS authenticates a server and provides encrypted HTTP session. The list of CA server are provided by the server to the client.

    Uses of client services configuration
    1. The authentication scheme contains a strong name
    2. Two way authentication is provided by the client and the server
    3. Network resources are accessed
    Drawbacks of the client services configuration
    1. It is not applicable for all the web browsers
    2. The SSL or TLS in needed by the services
    3. The security credentials are not delegated

Share This Page