Authenticating Users in an ASP.NET Application - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Authenticating Users in an ASP.NET Application

Description:

Anonymous users. Step 1: Create user and role. Step 2: Create ... display different information to anonymous and logged-in users. PasswordRecovery control ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 18
Provided by: cob3
Learn more at: https://faculty.sfsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Authenticating Users in an ASP.NET Application


1
Authenticating Users in an ASP.NET Application
2
Web Site Administration Tool
  • From VS 2008, click Website/ ASP.Net
    Configuration to open Web Site Administration
    Tool.
  • Select Authentication type
  • Windows authentication
  • Forms authentication
  • Manage users
  • Manage roles
  • Manage access rules

3
Authentication via Windows Authentication
  • Select this option if users will access your web
    site only from a private local network. The site
    will use built-in Microsoft Windows
    authentication to identify users. Users with a
    valid Windows user name and password will be able
    to access your site.
  • Intranet

4
Forms Authentication
  • Select this option if users will access your web
    site from the public internet.
  • Forms authentication identifies the user by
    prompting them to enter their credentials through
    a web form.
  • When a user attempts to access an unauthorized
    resource, they are automatically redirected to
    the login page where they can enter their
    credentials. The submitted credentials are then
    validated against a custom user store - usually a
    database.

5
Access Rules
  • Allow or deny access to a particular directory by
    user name or role.
  • Use Web Site Administration Tool to create and
    manage access rules and it will create an
    authorization section with Allow or Deny elements
    in the web.config file for that directory.
  • The permissions established for a directory also
    apply to its subdirectories, unless configuration
    files in a subdirectory override them.
  • Users
  • ALL Including authenticated and anonymous users.
  • Anonymous Unauthenticated users.

6
User Accounts and Roles
  • Managing user accounts and roles we can define
    authorization rules for accessing a particular
    ASP.NET page or directory for a particular user
    or role.

7
How to Create Users and Roles
  • Must start SQLExpress service.
  • By default, ASP.Net saves users and roles data in
    a SQL Server Express file that is stored in
    App_Data folder.
  • file App_Data\ASPNETDB.MDF
  • From VS 2008, click Website/ASP.Net Configuration
    to open the Web Site Administration Tool.
  • Click Security
  • Create User
  • Create Role
  • Create Access Rules

8
Forms Authentication Ticket
  • After verifying the submitted credentials, a
    forms authentication ticket is created for the
    user. This ticket indicates that the user has
    been authenticated and includes identifying
    information, such as the username. The forms
    authentication ticket is (typically) stored as a
    cookie on the client computer. Therefore,
    subsequent visits to the website include the
    forms authentication ticket in the HTTP request,
    thereby enabling the web application to identify
    the user once they have logged in.

9
FormsAuthentication Class
  • System.Web.Security.FormsAuthentication
  • Manages forms-authentication services for Web
    applications.
  • Methods
  • RedirectFromLoginPage(string userName, bool
    createPersistentCookie)
  • Redirects an authenticated user back to the
    originally requested URL or the default URL, and
    write a cookie named ASPAUTH containing an
    Authentication Ticket.
  • RedirectToLoginPage()
  • Redirects the browser to the login URL.

10
Membership Class
  • System.Web.Security.Membership
  • ASP.NET membership class gives you a built-in way
    to validate and store user credentials.
  • Including users created by Website Administration
    Tool and CreateUserWizard.
  • Method
  • ValidateUser(string username, string password)

11
Example
  • A website with a public area, such as the home
    page, a restricted area for members only, and an
    area for websites administrator only.
  • The restricted area will be a subfolder of the
    websites root directory.
  • Users
  • Administrator
  • Members Members data are stored in a regular
    database.
  • Example Sales databases Users table with
    UserID, Password and Email fields.
  • Anonymous users

12
  • Step 1 Create user and role
  • Step 2 Create access rules
  • Public area (root directory) Allow All
  • Membership only area
  • Rule 1 Allow All
  • Rule 2 Deny Anonymous
  • Administrator only area
  • Rule 1 Deny All
  • Rule 2 Allow administrator
  • Step 3 Create Login.Aspx page
  • Password textbox
  • TextMode property password

13
Code Example One Login Page to Handle Two Types
of Authentication
Dim strConn As String "ProviderMicrosoft.Jet.O
LEDB.4.0Data Source c\salesDB.mdb"
Dim objConn As New OleDbConnection(strConn)
Dim strSQL, emailAddress As String
emailAddress TextBox1.Text strSQL
"select from users where UserID '"
TextBox1.Text "'" Dim objComm As New
OleDbCommand(strSQL, objConn)
objConn.Open() Dim objDataReader As
OleDbDataReader objDataReader
objComm.ExecuteReader() If
objDataReader.Read() Then If
TextBox2.Text objDataReader("password") Then
FormsAuthentication.RedirectFromLoginPa
ge(objDataReader("UserID"), createPersistentCookie
False) End If End If
If Membership.ValidateUser(TextBox1.Text,
TextBox2.Text) True Then
FormsAuthentication.RedirectFromLoginPage(TextBox1
.Text, createPersistentCookieFalse) End
If
14
ASP.NET Login Controls
  • The ASP.NET login controls provide a login
    solution for ASP.NET Web applications without
    requiring programming.
  • By default, these controls use SQLExpress
    database to manage users.
  • Login control
  • LoginView control
  • display different information to anonymous and
    logged-in users.
  • PasswordRecovery control
  • CreateUserWizard
  • ChangePassword control

15
SQL Injection
  • "SQL Injection" is an unverified/unsanitized user
    input vulnerability, and the idea is to convince
    the application to run SQL code that was not
    intended.
  • Exploits applications that use external input for
    database commands.

16
SQL Injection Demo
  • On a web page that takes customer ID entered in a
    textbox as input, then displays the customers
    data.
  • 1. Retrieve all recordsIn the textbox, enter
  • OR 11 OR CID
  • 2. Guess table name or field name
  • AND 1(SELECT COUNT() FROM Orders) AND CID
  • 3. Finding some users
  • ' or cname like 'S' or cid
  • SQLInjectionDemo

17
Demo
Protected Sub Button1_Click(ByVal sender As
Object, ByVal e As System.EventArgs) Handles
Button1.Click Dim strConn As String
"ProviderMicrosoft.Jet.OLEDB.4.0Data Source
c\salesDB.mdb" Dim objConn As New
OleDbConnection(strConn) Dim strSQL As
String "select from customer where cid '"
TextBox1.Text "'" Dim objComm As New
OleDbCommand(strSQL, objConn) Try
objConn.Open() Dim objDataReader
As OleDbDataReader objDataReader
objComm.ExecuteReader()
GridView1.DataSource objDataReader
GridView1.DataBind() Catch except As
SystemException Response.Write(except.
Message) End Try End Sub
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Authenticating Users in an ASP.NET Application" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!