Transcript forms authentication ticket

Website Security
ISYS 512
Authentication
• Authentication is the process that determines
the identity of a user.
Forms Authentication
• Use username and password to
authenticate user.
• Once the Forms authentication is enabled,
pages cannot be accessed unless the user
has the proper authentication. Without
authentication, user is redirected to a login
page.
• If authenticated, an Authentication Ticket is
issued in the form of a cookie and user is
redirected back to the requested page.
Forms Authentication Ticket
• After verifying the submitted credentials, a forms
authentication ticket is created for the user. This
ticket indicates that the user has been
authenticated and includes identifying
information, such as the username. The forms
authentication ticket is stored as a cookie on the
client computer. Therefore, subsequent visits to
the website include the forms authentication
ticket in the HTTP request, thereby enabling the
web application to identify the user once they
have logged in.
Forms Authentication Flow
Yes, write Authentication
Ticket as cookie
User
Authenti
cated?
No,
redirect to
No,
redirect to
Authenti
cated?
Login Page
Yes
Yes
Website
Enabling Forms Authentication
• Set the authentication mode for the application
by modifying the authentication section in the
application root web.config file:
<authentication mode="Forms">
• Deny access to anonymous users by modifying
the authentication section in the web.config file:
<authorization>
<deny users="?" />
</authorization>
• Create a login page that enables users to enter
their usernames and passwords.
• If authenticated, an authorization ticket is issued
in the form of a cookie.
Example of Web.configure File
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" />
</authentication>
</system.web>
</configuration>
FormsAuthentication Class
• Must import System.Web.Security namespace.
– using System.Web.Security;
• Methods:
– RedirectFromLoginPage(String, boolean)
• Redirect user back to the page that sent the user to the login
page, and write a cookie named .ASPXAUTH containing an
Authentication Ticket.
– SignOut
• Removes the forms-authentication ticket from the browser.
– RedirectToLoginPage()
• Redirects the browser to the login URL.
Assuming user names and
password are stored in a table
• Database table name: users
• Fields:
– UserID, varchar(10)
– Password, varchar(20)
– Email, varchar(20)
Login Control
• Category Login/Login
• Properties:
– UserName
– Password
• Event:
– Login1_Authenticate
Must Turn Off UnobtrusiveValidationMode:
(It simply means we do Not Using jQuery)
protected void Page_Load(object sender, EventArgs e)
{
Page.UnobtrusiveValidationMode =
System.Web.UI.UnobtrusiveValidationMode.None;
}
Code Example: User name and password
are stored in a database table
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
string strConn = "Data Source=rkoq6ngwva.database.windows.net;Initial
Catalog=CustomerOrders;Persist Security Info=True;User
ID=dchaoDB;Password=dchao_Azure1";
SqlConnection objConn = new SqlConnection(strConn);
String strSQL = "select * from users where userID='" + Login1.UserName + "'";
SqlCommand objComm = new SqlCommand(strSQL, objConn);
objConn.Open();
SqlDataReader myReader;
myReader = objComm.ExecuteReader();
if (myReader.Read())
{
if (Login1.Password == myReader["Password"].ToString())
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true);
else
Response.Write("Invalid password, Access denied");
}
else
Response.Write("User not exist");
objConn.Close();
}
SignOut Demo
• using System.Web.Security;
• A signOut page with a button to SignOut;
Then redirect to the home page and trigger
the authentication again.
protected void Button1_Click(object sender, EventArgs e)
{
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
}
SQL Injection Demo
• On a web page that takes customer ID entered
in a textbox as input, then displays the
customer’s data.
• 1. Retrieve all records:In the textbox, enter:
' OR 1=1 OR CID = '
2. Guess table name or field name:
' AND 1=(SELECT COUNT(*) FROM Orders) AND
CID='
3. Finding some users:
' or cname like 'S%' or cid=‘
Demo
protected void Button1_Click(object sender, EventArgs e)
{
string strConn = "Data Source=rkoq6ngwva.database.windows.net;Initial
Catalog=CustomerOrders;Persist Security Info=True;User
ID=dchaoDB;Password=dchao_Azure1";
SqlConnection objConn = new SqlConnection(strConn);
String strSQL = "select * from customer where cid='" + TextBox1.Text + "'";
SqlCommand objComm = new SqlCommand(strSQL, objConn);
objConn.Open();
SqlDataReader myReader;
myReader = objComm.ExecuteReader();
if (myReader.HasRows)
{
GridView1.DataSource = myReader;
GridView1.DataBind();
}
else
Response.Write("User not exist");
objConn.Close();
}