Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.

Slides:

Advertisements

Similar presentations

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.

Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

ASP.NET and ADO.NET. ASP.NET Server Controls Intrinsic Controls: These controls correspond to their HTML counterparts. –Ex. Textbox, listbox, button,

VB.NET Database Tools ISYS Net Applications OLE DB Provider OLE DB Data Source OLE DB Provider ODBC Data Source SQL Server Data Source SQL Server.Net.

Coding ADO.NET Objects: Connection, Command, DataReader.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

ASP.Net AJAX. AJAX Asynchronous JavaScript and XML: – JavaScript, Document Object Model, Cascade Style Sheet, XML, server-side script such as.Net, etc.

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Coding ADO.NET Objects: Connection, Command, DataReader.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Working with Session and Application Objects. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and.

Concurrency Control. R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Introduction to Web Application Development with.Net and Web Service ISYS 350.

Coding ADO.NET Objects: Connection, Command, DataReader.

Working with Session. Postback and Variables Variables declared in a web page including ADO.Net objects may be reinitialized and lose their values.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Session 11: Security with ASP.NET

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.

NAMS Account Activation Training. 2 What is NAMS? The NASA Account Management System is NASA’s centralized process for requesting and maintaining accounts.

By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation

WaveMaker Visual AJAX Studio 4.0 Training Authentication.

1.NET Web Forms Security Issues © 2002 by Jerry Post.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Managing State.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

Working with the Application Object. Session VS Application Object The Session object helps to preserve data on a per user basis. What if we want to initialize.

Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:

PROG Advanced Web Applications With.NET PROG Advanced Web Applications With.NET User Authentication & Authorization.

1 CS 3870/CS 5870: Note 07 Lab 3 Lab 4 Test 1: Two Tables.

Module 11: Securing a Microsoft ASP.NET Web Application.

Module 7: Creating a Microsoft ASP.NET Web Application.

Introduction to Web Service ISYS 512. Web Service XML Web Service Web services are classes that are stored on the web which can instantiate and use in.

ASP.Net and HTML. Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load dim strConn as string ="Provider=Microsoft.Jet.OLEDB.4.0;Data.

Command Object’s ExecuteNonQuery Method ISYS 512.

Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.

1.NET Web Forms ADO.NET Structure © 2002 by Jerry Post.

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

Coding ADO.NET Objects: Connection, Command, DataReader.

C# Classes ISYS 512. Introduction to Classes A class is the blueprint for an object. –It describes a particular type of object. –It specifies the properties.

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

ASP.NET Essentials State management, authentication, and Web Services Daniele Pagano Arizona State University.

Coding ADO.NET Objects: Connection, Command, DataReader.

Security In your webSite.

Unit 7 Learning Objectives

Security Basics and ASP.NET Support

CAS and Web Single Sign-on at UConn

ASP.NET and ADO.NET.

Multifactor Authentication & First Time Login

Session management.

Coding ADO.NET Objects: Connection, Command, DataReader

Database Handling Class and Service

ASP.NET and ADO.NET.

Working with Session and Application Objects

Shopping Cart Demo.

Command Object’s ExecuteNonQuery Method

Presentation transcript:

Website Security ISYS 512

Authentication Authentication is the process that determines the identity of a user.

Forms Authentication Use username and password to authenticate user. Once the Forms authentication is enabled, pages cannot be accessed unless the user has the proper authentication. Without authentication, user is redirected to a login page. If authenticated, an Authentication Ticket is issued in the form of a cookie and user is redirected back to the requested page.

Forms Authentication Ticket After verifying the submitted credentials, a forms authentication ticket is created for the user. This ticket indicates that the user has been authenticated and includes identifying information, such as the username. The forms authentication ticket is stored as a cookie on the client computer. Therefore, subsequent visits to the website include the forms authentication ticket in the HTTP request, thereby enabling the web application to identify the user once they have logged in.

Forms Authentication Flow User Authenti cated? Login Page No, redirect to Website Yes Authenti cated? No, redirect to Yes, write Authentication Ticket as cookie Yes

Enabling Forms Authentication Set the authentication mode for the application by modifying the authentication section in the application root web.config file: Deny access to anonymous users by modifying the authentication section in the web.config file: Create a login page that enables users to enter their usernames and passwords. If authenticated, an authorization ticket is issued in the form of a cookie.

Example of Web.configure File

FormsAuthentication Class Must import System.Web.Security namespace. –using System.Web.Security; Methods: –RedirectFromLoginPage(String, boolean) Redirect user back to the page that sent the user to the login page, and write a cookie named.ASPXAUTH containing an Authentication Ticket. –SignOut Removes the forms-authentication ticket from the browser. –RedirectToLoginPage() Redirects the browser to the login URL.

Assuming user names and password are stored in a table Database table name: users Fields: –UserID, varchar(10) –Password, varchar(20) – , varchar(20)

Login Control Category Login/Login Properties: –UserName –Password Event: –Login1_Authenticate

Must Turn Off UnobtrusiveValidationMode: (It simply means we do Not Using jQuery) protected void Page_Load(object sender, EventArgs e) { Page.UnobtrusiveValidationMode = System.Web.UI.UnobtrusiveValidationMode.None; }

Code Example: User name and password are stored in a database table protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { string strConn = "Data Source=rkoq6ngwva.database.windows.net;Initial Catalog=CustomerOrders;Persist Security Info=True;User ID=dchaoDB;Password=dchao_Azure1"; SqlConnection objConn = new SqlConnection(strConn); String strSQL = "select * from users where userID='" + Login1.UserName + "'"; SqlCommand objComm = new SqlCommand(strSQL, objConn); objConn.Open(); SqlDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.Read()) { if (Login1.Password == myReader["Password"].ToString()) FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true); else Response.Write("Invalid password, Access denied"); } else Response.Write("User not exist"); objConn.Close(); }

SignOut Demo using System.Web.Security; A signOut page with a button to SignOut; Then redirect to the home page and trigger the authentication again. protected void Button1_Click(object sender, EventArgs e) { FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage(); }

SQL Injection Demo On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data. 1. Retrieve all records:In the textbox, enter: ' OR 1=1 OR CID = ' 2. Guess table name or field name: ' AND 1=(SELECT COUNT(*) FROM Orders) AND CID=' 3. Finding some users: ' or cname like 'S%' or cid=‘

Demo protected void Button1_Click(object sender, EventArgs e) { string strConn = "Data Source=rkoq6ngwva.database.windows.net;Initial Catalog=CustomerOrders;Persist Security Info=True;User ID=dchaoDB;Password=dchao_Azure1"; SqlConnection objConn = new SqlConnection(strConn); String strSQL = "select * from customer where cid='" + TextBox1.Text + "'"; SqlCommand objComm = new SqlCommand(strSQL, objConn); objConn.Open(); SqlDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.HasRows) { GridView1.DataSource = myReader; GridView1.DataBind(); } else Response.Write("User not exist"); objConn.Close(); }