Authenticating Users in an ASP.NET Application

Download Report

Transcript Authenticating Users in an ASP.NET Application

Authenticating Users in an
ASP.NET Application
Web Site Administration Tool
• From VS 2008, click Website/ ASP.Net
Configuration to open Web Site
Administration Tool.
– Select Authentication type:
• Windows authentication
• Forms authentication
– Manage users
– Manage roles
– Manage access rules
Authentication via Windows
Authentication
• Select this option if users will access your
web site only from a private local network.
The site will use built-in Microsoft
Windows authentication to identify users.
Users with a valid Windows user name
and password will be able to access your
site.
– Intranet
Forms Authentication
• Select this option if users will access your web
site from the public internet.
• Forms authentication identifies the user by
prompting them to enter their credentials
through a web form.
• When a user attempts to access an
unauthorized resource, they are automatically
redirected to the login page where they can
enter their credentials. The submitted credentials
are then validated against a custom user store usually a database.
Access Rules
• Allow or deny access to a particular directory by
user name or role.
• Use Web Site Administration Tool to create and
manage access rules and it will create an
authorization section with Allow or Deny
elements in the web.config file for that directory.
• The permissions established for a directory also
apply to its subdirectories, unless configuration
files in a subdirectory override them.
• Users:
– ALL: Including authenticated and anonymous users.
– Anonymous: Unauthenticated users.
User Accounts and Roles
• Managing user accounts and roles we can
define authorization rules for accessing a
particular ASP.NET page or directory for a
particular user or role.
How to Create Users and Roles
• Must start SQLExpress service.
– By default, ASP.Net saves users and roles data in a
SQL Server Express file that is stored in App_Data
folder.
• file: App_Data\ASPNETDB.MDF
• From VS 2008, click Website/ASP.Net
Configuration to open the Web Site
Administration Tool.
– Click Security
• Create User
• Create Role
• Create Access Rules
Forms Authentication Ticket
• After verifying the submitted credentials, a forms
authentication ticket is created for the user. This
ticket indicates that the user has been
authenticated and includes identifying
information, such as the username. The forms
authentication ticket is (typically) stored as a
cookie on the client computer. Therefore,
subsequent visits to the website include the
forms authentication ticket in the HTTP request,
thereby enabling the web application to identify
the user once they have logged in.
FormsAuthentication Class
• System.Web.Security.FormsAuthentication
– Manages forms-authentication services for Web
applications.
• Methods:
– RedirectFromLoginPage(string userName, bool
createPersistentCookie)
• Redirects an authenticated user back to the originally
requested URL or the default URL, and write a cookie named
ASPAUTH containing an Authentication Ticket.
– RedirectToLoginPage()
• Redirects the browser to the login URL.
Membership Class
• System.Web.Security.Membership
• ASP.NET membership class gives you a
built-in way to validate and store user
credentials.
– Including users created by Website
Administration Tool and CreateUserWizard.
• Method:
– ValidateUser(string username, string
password)
Example
• A website with a public area, such as the home
page, a restricted area for members only, and an
area for website’s administrator only.
– The restricted area will be a subfolder of the
website’s root directory.
• Users:
– Administrator
– Members: Members data are stored in a regular
database.
• Example: Sales database’s Users table with UserID,
Password and Email fields.
– Anonymous users
• Step 1: Create user and role
• Step 2: Create access rules:
– Public area (root directory): Allow All
– Membership only area:
• Rule 1: Allow All
• Rule 2: Deny Anonymous
– Administrator only area:
• Rule 1: Deny All
• Rule 2: Allow administrator
• Step 3: Create Login.Aspx page
– Password textbox:
• TextMode property: password
Code Example: One Login Page to Handle
Two Types of Authentication
Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source =
c:\salesDB.mdb"
Dim objConn As New OleDbConnection(strConn)
Dim strSQL, emailAddress As String
emailAddress = TextBox1.Text
strSQL = "select * from users where UserID= '" & TextBox1.Text & "'"
Dim objComm As New OleDbCommand(strSQL, objConn)
objConn.Open()
Dim objDataReader As OleDbDataReader
objDataReader = objComm.ExecuteReader()
If objDataReader.Read() Then
If TextBox2.Text = objDataReader("password") Then
FormsAuthentication.RedirectFromLoginPage(objDataReader("UserID"),
createPersistentCookie:=False)
End If
End If
If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) = True Then
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text,
createPersistentCookie:=False)
End If
ASP.NET Login Controls
• The ASP.NET login controls provide a login
solution for ASP.NET Web applications without
requiring programming.
– By default, these controls use SQLExpress database to
manage users.
• Login control
• LoginView control:
– display different information to anonymous and loggedin users.
• PasswordRecovery control
• CreateUserWizard
• ChangePassword control
SQL Injection
• "SQL Injection" is an
unverified/unsanitized user input
vulnerability, and the idea is to convince
the application to run SQL code that was
not intended.
• Exploits applications that use external
input for database commands.
SQL Injection Demo
• On a web page that takes customer ID entered
in a textbox as input, then displays the
customer’s data.
• 1. Retrieve all records:In the textbox, enter:
‘ OR 1=1 OR CID = ‘
2. Guess table name or field name:
‘ AND 1=(SELECT COUNT(*) FROM Orders) AND
CID=‘
3. Finding some users:
' or cname like 'S%' or cid=‘
SQLInjectionDemo
Demo
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Button1.Click
Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source = c:\salesDB.mdb"
Dim objConn As New OleDbConnection(strConn)
Dim strSQL As String = "select * from customer where cid = '" &
TextBox1.Text & "'"
Dim objComm As New OleDbCommand(strSQL, objConn)
Try
objConn.Open()
Dim objDataReader As OleDbDataReader
objDataReader = objComm.ExecuteReader()
GridView1.DataSource = objDataReader
GridView1.DataBind()
Catch except As SystemException
Response.Write(except.Message)
End Try
End Sub