ASP.NET security

ASP.NET security is easy to understand once one has completed the basics in ASP.NET. All the security features can be handled in the Web.Config file. There are three types of authentication:-1) Forms : For enabling forms based authentication, you need to first go to the IIS virtual directory folder of your web applicatio0n and check the Anonymous Access. Once this is done set the authentication mode to Forms in the following manner in the web.config <authentication mode="forms">(Note:One crucial thing that needs to be mentioned here is that the web.config file data is case
sensitive.)Then the child node needs to added to this in the following manner-<forms loginUrl="" path="" timeout="" protection="">
The loginUrl tells the Web application the location where the user needs to be redirected to in case he/she is not authenticated. Lets consider an example in this case. We have a user x trying to access a page lookup.aspx in your application and if x has not authenticated himself (i.e. entering his user credentials on the login.aspx page to ensure that he is a valid user), he will be redirected to the login.aspx page. Forms authentication uses the concept of cookies to ensure that a user has been authenticated. The path specifies the location where the cookie needs to be stored. The default value is set to "/". The timeout attribute specifies the time for the cookie to expire. The protection attribute is used to set the method from which to protect your cookie data. The following valid values can be supplied:










  • All: Specifies to use both data validation and encryption to protect the
    cookie. Triple DES (encryption scheme) is used for encryption. The All value is the default (and suggested)
    value.

  • None: Used for sites that are only using cookies for personalization and
    have weaker requirements for security. Both encryption and validation can be disabled. This is the most efficient performance wise, but must be used with caution.

  • Encryption: Specifies that the cookie is encrypted
    using Triple DES or DES, but data validation is not done on the cookie.

  • Validation: Specifies to avoid encrypting the contents of the cookie,
    but validate that the cookie data has not been altered in transit.

    • 2) Windows : In case of windows authentication we need to specify the security as integrated
    windows authentication in the IIS. Once this is completed the authentication mode should be set to windows in the following manner-<authentication mode="Windows"></authentication>
    Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access. ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP .NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. (By default, the ASP.NET engine operates under the ASPNET user account). Impersonation means that you can have the ASP.NET engine operates under the authenticated user's user account.

    3) Passport: This can be defined as one of Microsofts ploy to generate more revenue. Like people require passports to travel in and out of different countries, similarly we have the Microsoft passport to travel in and out of different websites. The website must have a passport authentication. In this way Microsoft will authenticate the user and then allow the user to access the webpages in the web site.This passport only allows authentication and not authorization.

    Comments

    Post a Comment

    Popular posts from this blog

    Load Data into Azure DW using C# in an SSIS script task

    Image
    Now there are a lot of reasons why SSIS needs to be leveraged for loading data into the Azure DW platform. Even though Polybase and Azure Data factory are the core criteria's, here are the templates for the SSIS script task that were leveraged to load data (full and incremental into Azure DW) for a specific customer rather than using the data flow task: SSIS Full Load script : SSIS Incremental Load script : There are a few reasons for this approach and one of them being that the existing package was using a similar structure and one not to be deviated from. The other being that some key logging aspects needed to be handled in a Legacy platform that could not be decommissioned at that time.
    Read more

    Branding your SharePoint site in a super fast way - Emgage

    Branding a SharePoint farm on premise or in O365 is an extremely time absorbing task. Recently found a few tools called emgage prime and emgage turbo which basically gives you customized UX branding solutions to make you get to what you want super fast and super easy....Just used it on a SP2016 farm a few days ago and the results were tremendous. A definite recommendation on the SP side of things.
    Read more

    Power BI To Embed Or Not To Embed

    It is very critical for organizations to work & play with data. Power BI - the reporting solution from Microsoft is literally scorching the market with its rapid pace in usage. On a quick note while interacting with your Power BI report like the following--> This report is accessible by the public. In order to create a more personalized/advanced security reporting structure with Power BI, the Power BI embedded would be the way to go. Create a workspace collection in Azure and then generate the required API keys (two by default - primary and secondary). These API keys will be leveraged by your web application. Once this is done create the pbix solution file in your desktop tool and publish or import the pbix solution to the Azure workspace using powershell/C#/ruby/java etc... Now to interact with the pbix file in your application, you need to leverage the Power BI Embed API's. However there is another approach using Power BI API's instead of the embed API's. The em
    Read more