|
Page 1 of 3
Asp.net Security Overview: Security is one of the most important component of any application. Security is even more important when you are making a web application which is exposed to million of users. Asp.net provides classes and methods that ensure that the application is secure from outside attacks. In this article we will investigate the different types of authentication provided by Asp.net.
Windows Authentication
Windows Authentication mode provides the developer to authenticate a user based on Windows user accounts. This is the default authentication mode provided by Asp.net. You can easily get the Identity of the user by using User.Identity.Name. This will return the computer name along with the user name. Windows authentication also provides IsInRole method to find the role of the user and than you can give permissions to the user depending on the role.
Forms Authentication
First you need to set up the forms authentication in the web.config file. If you see in the web.config file there will be a tag like this:
< authentication mode="Windows" / >
Storing username and password in the Web.config file:
If you have very few users that needs to use the application than you can set the username and passwords in the web.config file.
If you have very few users that needs to use the application than you can set the username and passwords in the web.config file.
< authentication mode="Forms " >
< forms loginUrl="Login.aspx" >
<credentials>
< user name="Joe" password="Smith" / >
< / credentials >
forms >
< / authentication >
You will see some new tags and attributes above lets explain all of them:
The tag forms has an attribute loginUrl which is the url of the page the users will be redirected if they try to access an authorized page. In this case we have given the url as Login.aspx which means that if some user is trying to access some page and he is not signed in he will be redirected to the Login.aspx page.
Later we have the credentials tag which has attributes username and password. The username and password is simply the username and password for a particular user. All the usernames and passwords that are present in the web.config files tag will be authorized to user the pages.
You can have multiple user name and password stored in a single web.config file. As you can see in the code below I have stored 2 username and their passwords:
You will see some new tags and attributes above lets explain all of them: The tag forms has an attribute loginUrl which is the url of the page the users will be redirected if they try to access an authorized page. In this case we have given the url as Login.aspx which means that if some user is trying to access some page and he is not signed in he will be redirected to the Login.aspx page. Later we have the credentials tag which has attributes username and password. The username and password is simply the username and password for a particular user. All the usernames and passwords that are present in the web.config files tag will be authorized to user the pages. You can have multiple user name and password stored in a single web.config file. As you can see in the code below I have stored 2 username and their passwords:
< authentication mode="Forms" >
< forms loginUrl="Login.aspx" >
<credentials>
< user name="Joe" password="Smith" / >
< user name="azam" password="hello" / >
< / credentials >
< / forms>
< / authentication >
Okay so now you got the username and passwords stored in the web.config file and now you want to authenticate the user depending on the credentials present in the web.config file. Let's set one more thing up which is the authorization tags in the web.config file.
< authorization>
< deny users="?" / >
< / authorization >
The deny users = "?" means that all the other users whose name is not present in the web.config file must not be able to access the pages.
Lets make a simple login screen that lets the user enter his credentials:
Suppose you are too lazy to change your page name from WebForm1 to Login.aspx. Now if you run the page you will see an error that there is no Login.aspx page. You will be surprised that what is asp.net looking for Login.aspx page. The reason is that because you told the Asp.net that the login page will be named Login.aspx remember:
|
