Authenticating Users in an ASP.NET Application
Download
Report
Transcript Authenticating Users in an ASP.NET Application
Website Security
ISYS 512
Authentication
• Authentication is the process that determines
the identity of a user.
• Web.config file
– <authentication> node
• Options:
– Windows Authentication: Authentication is handled
by the Windows server.
• For IntraNet
– Forms Authentication: For Internet, public access
– Passport
Forms Authentication
• Use username and password to
authenticate user.
– Usernames and passwords can be stored in a
database table, or Web.Config file.
• Once the Forms authentication is enabled,
pages cannot be accessed unless the user
has the proper authentication. Without
authentication, user is redirected to a login
page.
• If authenticated, an authorization ticket is
issued in the form of a cookie and user is
redirected back to the requested page.
Enabling Forms Authentication
• Set the authentication mode for the application
by modifying the authentication section in the
application root web.config file.
• Deny access to anonymous users by modifying
the authentication section in the web.config file.
• Create a login page that enables users to enter
their usernames and passwords.
• If authenticated, an authorization ticket is issued
in the form of a cookie.
FormsAuthentication Class
• Import system.web.security namespace.
• Methods:
– Authenticate:
• Validates a user name and password against credentials
stored in the configuration file for an application.
– RedirectFromLoginPage(String, boolean)
• Redirect user back to the page that sent the user to the login
page, and write a cookie named .ASPXAUTH containing an
Authentication Ticket.
– SignOut
• Removes the forms-authentication ticket from the browser.
– RedirectToLoginPage()
• Redirects the browser to the login URL.
User Names & Passwords Are Stored in
Web.Config File
<configuration>
<system.web>
<compilation debug="true" strict="false" explicit="true"
targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="Webform2.aspx" >
<credentials passwordFormat="Clear">
<user name="user1" password="password1"/>
<user name="user2" password="password2"/>
<user name="user3" password="password3"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</configuration>
Using FormsAuthentication’s
Authenticate Method
If (FormsAuthentication.Authenticate(Login1.UserName,
Login1.Password)) Then
FormsAuthentication.RedirectFromLoginPage(Login1.UserName,
True)
Else
Response.Write("Invalid Credentials: Please try again")
End If
Note: Using a Login Control
User Names & Passwords Are Stored in a
Database Table
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" />
</authentication>
</system.web>
</configuration>
LogIn Example
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Button1.Click
Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:\SalesDB2007.accdb"
Dim objConn As New OleDbConnection(strConn)
Dim strSQL As String = "select password from users where
userID='" & TextBox1.Text & "'"
Dim objComm As New OleDbCommand(strSQL, objConn)
objConn.Open()
If TextBox2.Text = objComm.ExecuteScalar Then
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, True)
Else
Response.Write("Access denied")
End If
End Sub
SignOut Demo
• A signOut page with a button to SignOut;
Then redirect to the home page and
trigger the authentication again.
– FormsAuthentication.SignOut()
– Response.Redirect("webform1.aspx")
Web Site Administration Tool
• From VS 2010, click Project/ ASP.Net
Configuration to open Web Site
Administration Tool.
– Select Authentication type:
• Windows authentication
• Forms authentication
– Manage users
– Manage roles
– Manage access rules
Access Rules
• Allow or deny access to a particular directory by
user name or role.
• Use Web Site Administration Tool to create and
manage access rules and it will create an
authorization section with Allow or Deny
elements in the web.config file for that directory.
• The permissions established for a directory also
apply to its subdirectories, unless configuration
files in a subdirectory override them.
• Users:
– ALL: Including authenticated and anonymous users.
– Anonymous: Unauthenticated users.
User Accounts and Roles
• Managing user accounts and roles we can
define authorization rules for accessing a
particular ASP.NET page or directory for a
particular user or role.
How to Create Users and Roles
• Must start SQLExpress service.
– By default, ASP.Net saves users and roles data in a
SQL Server Express file that is stored in App_Data
folder.
• Click Show All Files
• file: App_Data\ASPNETDB.MDF
• From VS 2010, click Website/ASP.Net
Configuration to open the Web Site
Administration Tool.
– Click Security
• Create User
• Create Role
• Create Access Rules
Forms Authentication Ticket
• After verifying the submitted credentials, a forms
authentication ticket is created for the user. This
ticket indicates that the user has been
authenticated and includes identifying
information, such as the username. The forms
authentication ticket is (typically) stored as a
cookie on the client computer. Therefore,
subsequent visits to the website include the
forms authentication ticket in the HTTP request,
thereby enabling the web application to identify
the user once they have logged in.
Membership Class
• System.Web.Security.Membership
• ASP.NET membership class gives you a
built-in way to validate and store user
credentials.
– Including users created by Website
Administration Tool and CreateUserWizard.
• Method:
– ValidateUser(string username, string
password)
Authenticate Users Using
Membership Class
If Membership.ValidateUser(Login1.UserName, Login1.Password) = True Then
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, True)
Else
Response.Write("Invalid")
End If
Example
• A website with a public area, such as the home
page, a restricted area for members only, and
an area for website’s administrator only.
– The restricted area will be a subfolder of the
website’s root directory.
• Users:
– Administrator
– Members: Members data are stored in a regular
database.
• Example: Sales database’s Users table with UserID,
Password and Email fields.
– Anonymous users
• Step 1: Create user and role
• Step 2: Create access rules:
– Public area (root directory): Allow All
– Membership only area:
• Rule 1: Allow All
• Rule 2: Deny Anonymous
– Administrator only area:
• Rule 1: Deny All
• Rule 2: Allow administrator
• Step 3: Create Login.Aspx page
– Password textbox:
• TextMode property: password
Code Example: One Login Page to Handle
Two Types of Authentication
Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:\SalesDB2007.accdb"
Dim objConn As New OleDbConnection(strConn)
Dim strSQL, emailAddress As String
emailAddress = TextBox1.Text
strSQL = "select * from users where UserID= '" & TextBox1.Text & "'"
Dim objComm As New OleDbCommand(strSQL, objConn)
objConn.Open()
Dim objDataReader As OleDbDataReader
objDataReader = objComm.ExecuteReader()
If objDataReader.Read() Then
If TextBox2.Text = objDataReader("password") Then
FormsAuthentication.RedirectFromLoginPage(objDataReader("UserID"),
createPersistentCookie:=True)
End If
End If
If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) = True Then
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text,
createPersistentCookie:=True)
End If
ASP.NET Login Controls
• The ASP.NET login controls provide a login
solution for ASP.NET Web applications without
requiring programming.
– By default, these controls use SQLExpress database to
manage users.
• Login control
• CreateUserWizard
• ChangePassword control
Cookies
Data in Cookies
• Which web site set the cookie
• Expiration date
– DateTime data type
– TimeSpan data type
• One or more pieces of data
• Keys: A collection of cookie’s names
• Define a new cookie:
– Dim CookieCID as new HttpCookie(“cid”)
• Add to: Response.Cookies
– Response.cookies.add(cookieCID)
Cookie’s Properties
• System.Web/HttpCookie
– Name
– Value
– Expires
• To write a cookie:
– Response.Cookies.Add(cookieObj)
Creating Cookies
dim cookieCID as New HttpCookie("cid")
dim cookieCNAME as new HttpCookie("cname")
dim dt as dateTime=dateTime.now()
dim ts as new TimeSpan(30,0,0,0)
cookieCID.value=textbox1.text
cookieCname.value=textbox2.text
cookieCID.expires=dt.add(ts)
cookieCname.expires=dt.add(ts)
response.cookies.add(cookieCID)
response.cookies.add(cookieCNAME)
Note: The name(or key)of cookieCID is “cid”
FireFox: Tools/Options/Privacy
Reading Cookies
Dim custid as string
Dim custName as string
custid=request.cookies("cid").value
custname=request.cookies("cname").value
Using Cookie with DataReader
Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:\SalesDB2007.accdb“
Dim objConn As New OleDbConnection(strConn)
Dim strSQL As String
Dim objDataReader As OleDbDataReader
Dim cid As String
cid = Request.Cookies("CID").Value
strSQL = "select * from webcustomer where CustID= '" & cid & "'"
Dim objComm As New OleDbCommand(strSQL, objConn)
objConn.Open()
objDataReader = objComm.ExecuteReader()
If objDataReader.Read() = True Then
Session("cname") = objDataReader("CustName")
Response.Write("<hr>Welcome:" & objDataReader("CustName") & "<hr>")
Else
Response.Write("<hr>We don't have your record <hr>")
End If
objConn.Close()
Demo:ASPNET/CookieGreeting.aspx
SQL Injection
• "SQL Injection" is an
unverified/unsanitized user input
vulnerability, and the idea is to convince
the application to run SQL code that was
not intended.
• Exploits applications that use external
input for database commands.
SQL Injection Demo
• On a web page that takes customer ID entered
in a textbox as input, then displays the
customer’s data.
• 1. Retrieve all records:In the textbox, enter:
‘ OR 1=1 OR CID = ‘
2. Guess table name or field name:
‘ AND 1=(SELECT COUNT(*) FROM Orders) AND
CID=‘
3. Finding some users:
' or cname like 'S%' or cid=‘
SQLInjectionDemo
Demo
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Button1.Click
Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=C:\SalesDB2007.accdb"
Dim objConn As New OleDbConnection(strConn)
Dim strSQL As String = "select * from customer where cid = '" &
TextBox1.Text & "'"
Dim objComm As New OleDbCommand(strSQL, objConn)
Try
objConn.Open()
Dim objDataReader As OleDbDataReader
objDataReader = objComm.ExecuteReader()
GridView1.DataSource = objDataReader
GridView1.DataBind()
Catch except As SystemException
Response.Write(except.Message)
End Try
End Sub