Implementing security in a site has the following aspects:
Authentication – it is the process of ensuring the user’s identity and authenticity. ASP.Net allows four types of authentication system:
Windows Authentication
Forms Authentication
Passport Authentication
Custom Authentication
Authorization – it is the process of defining and allotting specific roles to specific users.
Confidentiality – it involves encrypting the channel between the client’s browser and the web server.
Integrity – it involves maintaining the integrity of data. For example, implementing digital signature.
Forms-Based Authentication:
Traditionally forms based authentication involves editing the Web.Config file and adding a login page with appropriate authentication code.
The Web.Config file could be edited and the following codes written on it:
<system.web>
<authentication mode="Forms">
<forms loginUrl ="login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
...
...
</configuration>
|
The login.aspx page mentioned in the above code snippet could have the following code behind file with the usernames and passwords for authentication hard coded into it.
protected bool authenticate(String uname, String pass)
{
if(uname == "Tom")
{
if(pass == "tom123")
return true;
}
if(uname == "Dick")
{
if(pass == "dick123")
return true;
}
if(uname == "Harry")
{
if(pass == "har123")
return true;
}
return false;
}
public void OnLogin(Object src, EventArgs e)
{
if (authenticate(txtuser.Text, txtpwd.Text))
{
FormsAuthentication.RedirectFromLoginPage(txtuser.Text,
chkrem.Checked);
}
else
{
Response.Write("Invalid user name or password");
}
}
|
Observe that the FormsAuthentication class is responsible for the process of authentication.
However, Visual Studio allows you to implement user creation, authentication and authorization with seamless ease without writing any code, through the Web Site Administration tool. This tool allows creating users and roles.
Apart from this, ASP.Net comes with readymade login controls set, which has controls performing all the jobs for you.
Implementing Forms-Based Security:
To set up forms based authentication, the following things are needed:
A database of users to support the authentication process
A website that uses the database
User accounts
Roles
Restriction of users' and group activities
You need:
A default page, which will display the login status of the users and other information
A login page, which will allow users to log in, retrieve password or change password
IIS Authentication: SSL
The Secure Socket Layer or SSL is the protocol used to ensure a secure connection. With SSL enabled, the browser encrypts all data sent to the server and decrypts all data coming from the server. And at the same time the server encrypts and decrypts all data to and from browser.
The URL for a secure connection starts with HTTPS instead of HTTP. A small lock is displayed by a browser using a secure connection. When a browser makes an initial attempt to communicate with a server over a secure connection using SSL, the server authenticates itself by sending its digital certificate.
To use the SSL, you will have to buy a digital secure certificate from a trusted Certification Authority (CA) and install it in the web server. Following are some of the trusted and reputed certification authorities:
www.verisign.com
www.geotrust.com
www.thawte.com
SSL is built into all major browsers and servers. To enable SSL you need to install the digital certificate. The strength of various digital certificates varies depending upon the length of the key generated during encryption. Longer the length, more secure is the certificate, hence the connection.
| Strength | Description |
|---|
| 40 – bit | Supported by most browsers but easy to break |
| 56 – bit | Stronger than 40-bit |
| 128 – bit | Extremely difficult to break but all the browsers do not support it. |
