Wednesday, March 16, 2005 3:36 PM
Authentication and Authorization in ASP.NET - References
I see these questions come up time and again in the various ASP.NET forums, and I feel like I keep posting these same references as starters.
Forms Authentication Using SQL - Part 1 (ASPAlliance.com)
Have you ever wondered how sites authenticate users using forms? This article will explain how to by using ASP.Net and SQL 2000.
CodeSnip:Forms Authentication Against a Database (ASPAlliance.com)
I've seen a number of posts to the peer support lists and personally received a few requests for a code sample that performs Forms Authentication against a database.
Effective Forms Authentication, Part 1 (OnDotNet.com)
ASP.NET offers several possibilities for authenticating users, but when you come right down to it, there's only one reasonable alternative for most applications: forms authentication. This is because Windows authentication requires every user to have an account in your Windows domain (which isn't reasonable, except for intranet applications), and Passport authentication requires you to pay quite a bit of money to Microsoft. Fortunately, forms authentication is both free and relatively easy to use. In this article (the first of two), I'll walk you through the basics, showing how you can use forms authentication in your own ASP.NET applications.
Effective Forms Authentication, Part 2 (OnDotNet.com)
In this article I'll tidy up the authentication code by making it possible to reuse both chunks of code, using a web custom-control for the initial login, and a HttpModule to build the identity and principal objects. If you haven't run into these parts of ASP.NET yet, you'll end up with two additional techniques to add to your repertoire, which is always a good thing.
Securing Passwords in Your Database (SitePoint)
When ASP.NET developers think of Web security and authentication, three options typically come to mind: Windows authentication, forms authentication, and passport authentication.
In many scenarios, however, development is focused around forms authentication. Why? Because you wouldn't want manually to create usernames and passwords for the thousands of potential users that would access your site. Assuming you're building a large-scale forum application that is accessible by many users over the Internet, forms authentication would be your best bet because it allows you to store usernames and password within your data store (usually a database table) of choice, then validate your users based on a Web accessible login page...
Secure Your Mobile Apps
Use forms authentication to secure ASP.NET mobile applications (Visual Studio Magazine)
Although the focus is on mobile controls, this article provides a good overview of Forms Authentication
ASP.NET makes securing applications much simpler than it was in Active Server Pages (ASP). It offers the plumbing for Web security, one portion of which is called forms authentication. Forms authentication is a cookie-based authentication process handled by ASP.NET, which allows you to replace the standard login screen and authentication business logic with your own customized version. ASP.NET handles the process of authenticating users automatically for each page request by enabling forms authentication on a Web or virtual directory. You no longer need to spend time putting additional script code or include files in your Web pages to check for this authentication manually.
Authentication in ASP.NET: .NET Security Guidance (Microsoft Patterns & Practices)
This article discusses the importance of security considerations when designing a server application. Both Microsoft Internet Information Services (IIS) and ASP.NET provide security models that will allow you to authenticate your users appropriately and obtain the correct security context within your application. (29 printed pages)
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (Microsoft Patterns & Practices)
(download this as PDF, or buy from Amazon usinlg link below)
This guide from the Microsoft Patterns & Practices group discusses not only Forms Authentication, but Windows and Passport Authentication, and Roles Based Authorization in all scenarios. There are copious examples, and a number of “How To“ examples, including integrating Forms Authentication with Active Directory. This an essential guide.
This guide presents a practical, scenario driven approach to designing and building secure ASP.NET applications for Windows 2000 and version 1.0 of the .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications. (This roadmap: 6 printed pages; the entire guide: 608 printed pages)
Improving Web Application Security: Threats and Countermeasures (Microsoft Patterns & Practices)
(downlad as PDF or buy from link below)
This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
Authorization and Profile Application Block (Microsoft Patterns & Practices)
(this is a code library you can use to make your life a little easier)
This page provides an overview of the Authorization and Profile Application Block. This block is a reusable code component that builds on the capabilities of the Microsoft .NET Framework to help you perform authorization and access profile information.
Protect PDF, DOC and other file types with Forms Authentication
Forms Authentication does not protect all files on your website!
Mixing Forms and Windows Security in ASP.NET (MSDN)
ASP.NET developers have been asking for a way to combine Forms and Windows security. Paul Wilson provides a solution that does just that; it captures the Windows username, if possible, and otherwise redirects users to a logon screen. (8 printed pages)
DPAPI Helper Library
Now that you've read the “Building Secure ASP.NET Applications“ P&P, and you're sold on DPAPI but think there's no way you can implement that “simple“ library Microsoft provided you, Vertigo software comes to your rescue.
Code to strongly encrypt and decrypt strings without having to manage keys. This is essentially a slightly modified version of the DataProtection class written by Vertigo Software for DevDays 2004. If you missed DevDays 2004 I feel sorry for you. ;-) This code also includes a copy of Matt Griffith's .NET Utilities which include a high-resulution performance timer used to time the encryption and decryption. Using the included test harness, I decrypted a 1.8 MB string in 365ms on a 2.6GHz P4 w/1GB RAM. This is great for encrypting datasets or connection strings. Vertigo's VB.NET code wraps the DPAPI from the Crypto API that didn't make it into the .NET Framework.
ASP.NET Unleashed (link to amazon.com)
Simple explanations with good examples of different authentication methods.
Building Secure Microsoft ASP.NET Applications
You can download this for free as a PDF, but if you want a nicely printed version you can purchase from Amazon. Over 600 pages!
Improving Web Application Security: Threats and Countermeasures
This is also available as a free download from Microsoft, or you can buy the printed version from Amazon. The printed version is 863 pages long!