Presentation is loading. Please wait.

Presentation is loading. Please wait.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows."— Presentation transcript:

1 Website Security ISYS 512

2 Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows Authentication: Authentication is handled by the Windows server. For IntraNet –Forms Authentication: For Internet, public access –Passport

3 Forms Authentication Use username and password to authenticate user. –Usernames and passwords can be stored in a database table, or Web.Config file. Once the Forms authentication is enabled, pages cannot be accessed unless the user has the proper authentication. Without authentication, user is redirected to a login page. If authenticated, an authorization ticket is issued in the form of a cookie and user is redirected back to the requested page.

4 Enabling Forms Authentication Set the authentication mode for the application by modifying the authentication section in the application root web.config file. Deny access to anonymous users by modifying the authentication section in the web.config file. Create a login page that enables users to enter their usernames and passwords. If authenticated, an authorization ticket is issued in the form of a cookie.

5 FormsAuthentication Class Import system.web.security namespace. Methods: –Authenticate: Validates a user name and password against credentials stored in the configuration file for an application. –RedirectFromLoginPage(String, boolean) Redirect user back to the page that sent the user to the login page, and write a cookie named.ASPXAUTH containing an Authentication Ticket. –SignOut Removes the forms-authentication ticket from the browser. –RedirectToLoginPage() Redirects the browser to the login URL.

6 User Names & Passwords Are Stored in Web.Config File

7 Using FormsAuthentication’s Authenticate Method If (FormsAuthentication.Authenticate(Login1.UserName, Login1.Password)) Then FormsAuthentication.RedirectFromLoginPage(Login1.UserName, True) Else Response.Write("Invalid Credentials: Please try again") End If Note: Using a Login Control

8 User Names & Passwords Are Stored in a Database Table

9 LogIn Example Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\SalesDB2007.accdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select password from users where userID='" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) objConn.Open() If TextBox2.Text = objComm.ExecuteScalar Then FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, True) Else Response.Write("Access denied") End If End Sub

10 SignOut Demo A signOut page with a button to SignOut; Then redirect to the home page and trigger the authentication again. –FormsAuthentication.SignOut() –Response.Redirect("webform1.aspx")

11 Web Site Administration Tool From VS 2010, click Project/ ASP.Net Configuration to open Web Site Administration Tool. –Select Authentication type: Windows authentication Forms authentication –Manage users –Manage roles –Manage access rules

12 Access Rules Allow or deny access to a particular directory by user name or role. Use Web Site Administration Tool to create and manage access rules and it will create an authorization section with Allow or Deny elements in the web.config file for that directory. The permissions established for a directory also apply to its subdirectories, unless configuration files in a subdirectory override them. Users: –ALL: Including authenticated and anonymous users. –Anonymous: Unauthenticated users.

13 User Accounts and Roles Managing user accounts and roles we can define authorization rules for accessing a particular ASP.NET page or directory for a particular user or role.

14 How to Create Users and Roles Must start SQLExpress service. –By default, ASP.Net saves users and roles data in a SQL Server Express file that is stored in App_Data folder. Click Show All Files file: App_Data\ASPNETDB.MDF From VS 2010, click Website/ASP.Net Configuration to open the Web Site Administration Tool. –Click Security Create User Create Role Create Access Rules

15 Forms Authentication Ticket After verifying the submitted credentials, a forms authentication ticket is created for the user. This ticket indicates that the user has been authenticated and includes identifying information, such as the username. The forms authentication ticket is (typically) stored as a cookie on the client computer. Therefore, subsequent visits to the website include the forms authentication ticket in the HTTP request, thereby enabling the web application to identify the user once they have logged in.

16 Membership Class System.Web.Security.Membership ASP.NET membership class gives you a built-in way to validate and store user credentials. –Including users created by Website Administration Tool and CreateUserWizard. Method: – ValidateUser(string username, string password)

17 Authenticate Users Using Membership Class If Membership.ValidateUser(Login1.UserName, Login1.Password) = True Then FormsAuthentication.RedirectFromLoginPage(Login1.UserName, True) Else Response.Write("Invalid") End If

18 Example A website with a public area, such as the home page, a restricted area for members only, and an area for website’s administrator only. – The restricted area will be a subfolder of the website’s root directory. Users: –Administrator –Members: Members data are stored in a regular database. Example: Sales database’s Users table with UserID, Password and Email fields. –Anonymous users

19 Step 1: Create user and role Step 2: Create access rules: –Public area (root directory): Allow All –Membership only area: Rule 1: Allow All Rule 2: Deny Anonymous –Administrator only area: Rule 1: Deny All Rule 2: Allow administrator Step 3: Create Login.Aspx page –Password textbox: TextMode property: password

20 Code Example: One Login Page to Handle Two Types of Authentication Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\SalesDB2007.accdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL, emailAddress As String emailAddress = TextBox1.Text strSQL = "select * from users where UserID= '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() If objDataReader.Read() Then If TextBox2.Text = objDataReader("password") Then FormsAuthentication.RedirectFromLoginPage(objDataReader("UserID"), createPersistentCookie:=True) End If If Membership.ValidateUser(TextBox1.Text, TextBox2.Text) = True Then FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, createPersistentCookie:=True) End If

21 ASP.NET Login Controls The ASP.NET login controls provide a login solution for ASP.NET Web applications without requiring programming. –By default, these controls use SQLExpress database to manage users. Login control CreateUserWizard ChangePassword control

22 Cookies

23 Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys: A collection of cookie’s names Define a new cookie: –Dim CookieCID as new HttpCookie(“cid”) Add to: Response.Cookies –Response.cookies.add(cookieCID)

24 Cookie’s Properties System.Web/HttpCookie –Name –Value –Expires To write a cookie: –Response.Cookies.Add(cookieObj)

25 Creating Cookies dim cookieCID as New HttpCookie("cid") dim cookieCNAME as new HttpCookie("cname") dim dt as dateTime=dateTime.now() dim ts as new TimeSpan(30,0,0,0) cookieCID.value=textbox1.text cookieCname.value=textbox2.text cookieCID.expires=dt.add(ts) cookieCname.expires=dt.add(ts) response.cookies.add(cookieCID) response.cookies.add(cookieCNAME) Note: The name(or key)of cookieCID is “cid” FireFox: Tools/Options/Privacy

26 Reading Cookies Dim custid as string Dim custName as string custid=request.cookies("cid").value custname=request.cookies("cname").value

27 Using Cookie with DataReader Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\SalesDB2007.accdb“ Dim objConn As New OleDbConnection(strConn) Dim strSQL As String Dim objDataReader As OleDbDataReader Dim cid As String cid = Request.Cookies("CID").Value strSQL = "select * from webcustomer where CustID= '" & cid & "'" Dim objComm As New OleDbCommand(strSQL, objConn) objConn.Open() objDataReader = objComm.ExecuteReader() If objDataReader.Read() = True Then Session("cname") = objDataReader("CustName") Response.Write(" Welcome:" & objDataReader("CustName") & " ") Else Response.Write(" We don't have your record ") End If objConn.Close() Demo:ASPNET/CookieGreeting.aspx

28 SQL Injection "SQL Injection" is an unverified/unsanitized user input vulnerability, and the idea is to convince the application to run SQL code that was not intended. Exploits applications that use external input for database commands.

29 SQL Injection Demo On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data. 1. Retrieve all records:In the textbox, enter: ‘ OR 1=1 OR CID = ‘ 2. Guess table name or field name: ‘ AND 1=(SELECT COUNT(*) FROM Orders) AND CID=‘ 3. Finding some users: ' or cname like 'S%' or cid=‘ SQLInjectionDemo

30 Demo Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\SalesDB2007.accdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub

Download ppt "Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows."

Similar presentations

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys Define.

Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys Define.
Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys Define.

Cookies. Data in Cookies Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One or more pieces of data Keys Define.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
ASP.NET and ADO.NET. ASP.NET Server Controls Intrinsic Controls: These controls correspond to their HTML counterparts. –Ex. Textbox, listbox, button,

ASP.NET and ADO.NET. ASP.NET Server Controls Intrinsic Controls: These controls correspond to their HTML counterparts. –Ex. Textbox, listbox, button,
VB.NET Database Tools ISYS 573. .Net Applications OLE DB Provider OLE DB Data Source OLE DB Provider ODBC Data Source SQL Server Data Source SQL Server.Net.

VB.NET Database Tools ISYS Net Applications OLE DB Provider OLE DB Data Source OLE DB Provider ODBC Data Source SQL Server Data Source SQL Server.Net.
Coding ADO.NET Objects: Connection, Command, DataReader.

Coding ADO.NET Objects: Connection, Command, DataReader.
ASP.Net AJAX. AJAX Asynchronous JavaScript and XML: – JavaScript, Document Object Model, Cascade Style Sheet, XML, server-side script such as.Net, etc.

ASP.Net AJAX. AJAX Asynchronous JavaScript and XML: – JavaScript, Document Object Model, Cascade Style Sheet, XML, server-side script such as.Net, etc.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Coding ADO.NET Objects: Connection, Command, DataReader.

Coding ADO.NET Objects: Connection, Command, DataReader.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
Working with Session and Application Objects. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and.

Working with Session and Application Objects. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.
VB.NET Database Tools ISYS 573. Microsoft Universal Data Access ODBC: Open Database Connectivity –A driver manager –Used for relational databases OLE.

VB.NET Database Tools ISYS 573. Microsoft Universal Data Access ODBC: Open Database Connectivity –A driver manager –Used for relational databases OLE.
Introduction to Web Application Development with.Net and Web Service ISYS 350.

Introduction to Web Application Development with.Net and Web Service ISYS 350.
ASP.NET and ADO.NET. Bind the DataReader to a DataGrid Dim strConn As String = Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\sales2k.mdb Dim objConn.

ASP.NET and ADO.NET. Bind the DataReader to a DataGrid Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\sales2k.mdb" Dim objConn.

Similar presentations

Ads by Google