Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROG 11044 Advanced Web Applications With.NET PROG 11044 Advanced Web Applications With.NET User Authentication & Authorization.

Published byOctavia Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "PROG 11044 Advanced Web Applications With.NET PROG 11044 Advanced Web Applications With.NET User Authentication & Authorization."— Presentation transcript:

1 PROG 11044 Advanced Web Applications With.NET PROG 11044 Advanced Web Applications With.NET User Authentication & Authorization

2 10/28/2015Wendi Jollymore, ACES2 User Authentication Can be used on web sites for: Saving user preferences E.g. skins, colours Limiting access to pages or data E.g. “members only”, co-authors of a blog Protect sensitive information E.g. users who shop at your site may store their credit card and other account info

3 10/28/2015Wendi Jollymore, ACES3 Authentication / Authorization Authentication Determining a user’s identity How you validate the identity with some authority or source Credentials = user’s information Occurs before you authorize a user Authorization Determining if authenticated user has access to a resource, application, etc. Occurs after authentication A user can be authenticated but not authorized to have access to a specific resource.

4 10/28/2015Wendi Jollymore, ACES4 Types of Authentication There are three types of authentication you can use in ASP.NET: Windows Passport Forms

5 10/28/2015Wendi Jollymore, ACES5 Types of Authentication Windows Authentication Used with IIS Authenticates users based on their Windows accounts you would need to have the permissions to create and modify individual Windows user accounts. Use this only for local applications.

6 10/28/2015Wendi Jollymore, ACES6 Types of Authentication Passport Authentication Uses the authentication service provided by Microsoft "Microsoft Passport" Your site might be registered with and be a member of the Microsoft Passport service. Users would not only have access to your page; they would be members of other sites also, using the same account information. You would be dependent on the Microsoft Passport service for user accounts.

7 10/28/2015Wendi Jollymore, ACES7 Types of Authentication Forms Authentication HTML form collects credentials from user Write the code to authenticate the credentials Can use a cookie to maintain the authentication information allows user to "stay logged in" while they browse around your site. You can decide how to maintain user information (i.e. a Users table in a database?)

8 10/28/2015Wendi Jollymore, ACES8 Types of Authentication Forms Authentication would be the preferable method Allows you the most flexibility You can design your own form to capture the credentials You can write your own authentication code

9 10/28/2015Wendi Jollymore, ACES9 How Forms Authentication Works Unauthenticated users visiting any page are redirected to Login page Cookie created and stored when user is authenticated Authenticated users can be granted or denied access to resources Unauthenticated users are default IUSR_Anonymous

10 10/28/2015Wendi Jollymore, ACES10 Passwords & Encryption This is a huge topic, so this is just a simplification Passwords should not be stored as plain text in a table They also should not be “compared” using plain text E.g. if (password.equals(“whatever”)) Passwords should be stored/compared using encrypted values

11 10/28/2015Wendi Jollymore, ACES11 One-Way vs. Two-Way Encryption One-Way Encryption A piece of text is encrypted Encrypted value is stored somewhere Not decrypted A person enters plain text which is encrypted and both encrypted values are compared Two-Way Encryption A piece of text is encrypted Encrypted value is decrypted by the person receiving or processing the sensitive data Common when sending documents

12 10/28/2015Wendi Jollymore, ACES12 Passwords & Encryption One-Way Encryption is very useful for passwords User enters a password Program encrypts password Program looks up encrypted password value in a table Both encrypted values are compared If they match, success! Also called hashing or irreversible encryption

13 10/28/2015Wendi Jollymore, ACES13 Passwords & Encryption Disadvantage of One-Way encryption Can’t decrypt the encrypted value Can be hard to retrieve a lost password Ideas: Reset password to something temporary and email it to the user. Send them a URL that allows them to save a new password.

14 10/28/2015Wendi Jollymore, ACES14 Encryption Algorithms Some popular one-way encryption algorithms: MD5 (Message Digest algorithm 5) 128-bit hash code; somewhat secure; somewhat efficient SHA-1 (Secure Hash Algorithm) 160-bit hash code; somewhat secure, somewhat efficient SHA-2 Refers to a collection of algorithms that are more secure than SHA-1

15 10/28/2015Wendi Jollymore, ACES15 Encryption Algorithms Continued… SHA-2 consist of SHA256, SHA384, SHA512 These are 256-, 384-, and 512-bit hash codes SHA256 and SHA384 as secure as SHA-1 or MD5, but a lot slower SHA512 is extremely secure, but extremely slow

16 10/28/2015Wendi Jollymore, ACES16 Encryption Algorithms RIPEMD-160 Stands for RACE Integrity Primitives Evaluation Message Digest RACE stands for Research and Development in Advanced Communications Technologies in Europe 160-bit hash code based on MD4 (precursor to MD5)

17 10/28/2015Wendi Jollymore, ACES17 Authentication in ASP.NET Create a Users table in your KaluhaBooks database: See the table description in the notes ADO.Net/Authentication & Authorization We’ll be using MD5 encryption 128-bit hash code Password field in Users table has to be binary type, 16 bytes Create a new Web Project

18 10/28/2015Wendi Jollymore, ACES18 Authentication in ASP.NET Add a Web.config file Add a connection string element In your web.config file, you can define how your application should handle authentication and authorization In our example, we will redirect unauthenticated users to a Login/Registration page

19 10/28/2015Wendi Jollymore, ACES19 Authentication in ASP.NET element in web.config: Inside the element One attribute: mode=“Forms/Passport/Windows/None” This indicates what mode of authentication your app should use None means no authentication or some form of custom authentication

20 10/28/2015Wendi Jollymore, ACES20 Authentication in ASP.NET

21 10/28/2015Wendi Jollymore, ACES21 Authentication in ASP.NET element in web.config: Inside the element Defines how forms authentication will work in your application name attribute: The name of the cookie that will be placed on the authenticated user’s machine loginUrl attribute: The URL of the login page Where unauthenticated users will automatically be redirected

22 10/28/2015Wendi Jollymore, ACES22 Authentication in ASP.NET <forms name=".MYFIRSTAUTH" loginUrl="login.aspx" />

23 10/28/2015Wendi Jollymore, ACES23 Authentication in ASP.NET Other attributes you can use in the element: timeout=“60” The amount of time measured in minutes when the cookie will expire. The default value is 30. path=“/” The path where the cookie is created. The default value is "/", which is fine to use at this point.

24 10/28/2015Wendi Jollymore, ACES24 Authentication in ASP.NET Continued… Protection=“None/Encryption/ Validation/All” How the cookie data is protected. Possible values include: None: stored in plain-text format; not recommended Encryption: Encrypts the cookie information in either the TripleDES or DES (Data Encryption Standard) encryption formats. Validation: No encryption used, but the information within the cookie is validated to determine if the information was altered between requests. All: Utilize both validation and encryption to protect the cookie data

25 10/28/2015Wendi Jollymore, ACES25 Authentication in ASP.NET element in web.config: Inside element Defines which authenticated and unauthenticated users have access to which resources (e.g. pages) Can contain two elements:

26 10/28/2015Wendi Jollymore, ACES26 Authentication in ASP.NET and elements Define authorization rules which users should be denied or allowed access to pages Possible values for the users attribute: * = all users ? = anonymous users IUSR_Anonymous Any name of a specific user or role Multiple users/roles separated by commas

27 10/28/2015Wendi Jollymore, ACES27 Authentication in ASP.NET This authorization rule denies access to all anonymous users. They will automatically be redirected to our login/registration page.

28 10/28/2015Wendi Jollymore, ACES28 Exercise Once you’ve updated your web.config file: Add some stuff to the main page of your project Anything you want – headings, images, text, whatever This will be our “home page” for our site Add a second web form to your project Call it “login.aspx” The same value in your loginUrl attribute in the element

29 10/28/2015Wendi Jollymore, ACES29 The Login Control ASP.NET 2.0 has a new set of Login controls! The Login control contains all the elements you need to allow user logins

30 10/28/2015Wendi Jollymore, ACES30 The Login Control - Properties CreateUserUrl the URL or page name (if in the same folder) of a registration page CreateUserText is the text that will appear as a link below the login/password fields When clicked, it will take the user to the registration page as defined in CreateUserUrl.

31 10/28/2015Wendi Jollymore, ACES31 The Login Control - Properties DestinationPageUrl URL where user is directed after successful login DisplayRememberMe (true/false) Displays a check box that the user can check if they want to stay logged in beyond the normal timeout period. If checked by user, sets a persistent cookie is so they don't have to be re-authenticated each time they come to your site. You can change the expiry date of this cookie in your code.

32 10/28/2015Wendi Jollymore, ACES32 The Login Control - Properties FailureAction, FailureText What should happen if authentication fails. "Refresh“ (default) entire page will refresh, displaying the value of FailureText property. “RedirectToLoginPage” user will be sent back to the login page, as defined in the web.config file.

33 10/28/2015Wendi Jollymore, ACES33 The Login Control - Properties InstructionText Any instructions you'd like displayed to the user. LoginButtonType Type of Login button you'd like (Button, Link, Image). LoginButtonText If LoginButtonType is Button or Link, defines what text appears on the button/link. LoginButtonImageUrl If LoginButtonType is set to Image Contains the location of the image.

34 10/28/2015Wendi Jollymore, ACES34 The Login Control - Properties Orientation Alignment of controls PasswordLabelText Text that appears in label in front of password field PasswordRequiredErrorMessage Error message that is displayed for the required field validator associated with the password field.

35 10/28/2015Wendi Jollymore, ACES35 The Login Control - Properties RememberMeSet Default value of the Remember Me check box RememberMeText Text that appears in front of the Remember Me check box. TitleText The title that appears along the top of your login control.

36 10/28/2015Wendi Jollymore, ACES36 The Login Control - Properties UserName Default user name in User Name field UserNameLabelText Text that appears in label in front of user name field UserNameRequiredErrorMessage Error message displayed for the required field validator associated with the user name field.

37 10/28/2015Wendi Jollymore, ACES37 The Login Control - Events Authenticate() Triggered when the user presses the Login button on the Login control You can write code to hash the password entered and compare to database value

38 10/28/2015Wendi Jollymore, ACES38 Exercise Create the Login.aspx page according to the instructions/tutorial in the notes: ADO.NET, Authentication & Authorization “Creating a Login/Registration Page” You’ve done Steps 1 and 2 already Start with Step 3

39 10/28/2015Wendi Jollymore, ACES39 More Useful Classes/Methods MD5CyptoServiceProvider class In the System.Security.Cryptography namespace Performs one-way MD5 encryption ComputeHash() method Accepts an array of bytes[] as the value to encrypt Returns an array of bytes[] as the encrypted value

40 10/28/2015Wendi Jollymore, ACES40 More Useful Classes/Methods UTF8Encoding class In the System.Text namespace Used to encode Unicode characters GetBytes(string) method Takes the string and returns it as an array of bytes[]

41 10/28/2015Wendi Jollymore, ACES41 More Useful Classes/Methods FormsAuthentication class In the System.Web.Security namespace Handles forms authentication services and utilities RedirectFromLoginPage(username, persist) Redirects authenticated user back to the original page they requested and creates the cookie username = string to identify the “authentication ticket” persist = boolean value: whether or not cookie lives across multiple sessions Optional third string argument = alternate URL where authenticated user should be sent

42 10/28/2015Wendi Jollymore, ACES42 Exercise Complete the tasks under the “Registering Users” section When completed, make sure it works Make sure you have a couple of good user/passwords in your table so we can code the login section

43 10/28/2015Wendi Jollymore, ACES43 Exercise Complete the tasks under the “Validating Users” section When completed, make sure it works: Try logging in with valid and invalid logins/passwords!

Download ppt "PROG 11044 Advanced Web Applications With.NET PROG 11044 Advanced Web Applications With.NET User Authentication & Authorization."

Similar presentations

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.
MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.
Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the:  course is a PowerPoint demonstration intended to introduce.

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the:  course is a PowerPoint demonstration intended to introduce.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.

JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Creating Web Page Forms

Creating Web Page Forms
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Www.vanschools.org Website Tutorial. www.vanschools.org Administration  Log on by clicking Login on the footer of almost any page  Your Username is.

Website Tutorial. Administration  Log on by clicking Login on the footer of almost any page  Your Username is.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
PROG 38448 Mobile Java Application Development PROG 38448 Mobile Java Application Development Event Handling Creating Menus.

PROG Mobile Java Application Development PROG Mobile Java Application Development Event Handling Creating Menus.

Similar presentations

Ads by Google