Authentication Security

D

David Kyle

Hello Guys (and Girls),



I've developed a few web applications now all using a SQL Server database
for a backend. Up until now I have tried multiple approaches to
Authorization and Authentication but this time I decided that I would use
industry standards inside of .NET.



There's a tremendous amount of information out there with regards to this.
After sifting though it all I believe I would like to use Forms
Authentication and .NET roles Authorization but I have a few questions with
regards to the security.



One, I've encountered a number of examples where they hold the role
information for each authenticated user in the
AuthenticationTicket.UserData. How secure is this? I would be worried that
the user could edit the contents of the cookie (if they knew the encryption
key) and grant them self's more access to areas they shouldn't be allowed
access to? Would it not be more secure to hold this information in the
Session Object? This would also apply to their LoginID.



Basically I guess I'm wondering how hard is it for them to break the
encryption that the AuthenticationTicket undergoes.



Also, what is the standard way to limit any access to an aspx page based on
a roll?



Finally how can I limit access to a file like a .pdf file though a .NET
role?



Any help on any of these topics would be greatly appreciated. Thanks in
advance.



Cheers!



David Kyle

Web Developer

www.chloemag.com

(e-mail address removed)
 
J

Joe Fallon

I use 2 classes to implement IPrincipal and IIdentity.
In them you have things like IsAuthenticated and Name and Roles.
(I also add other things that are not part of the interface.)

When the user logs in you use the Login method to communicate the
crednetials to your DB and verify them.
If they are successful then you store the Principal object in Session and
RedirectFromLogin.

Forms Authentication sends them an encrypted cookie.
This lets them get past the login page to the protected pages in your app.

In Global.asax you trap the AcquireRequestState event and pull your
Principal object out of Session and set the current thread to use it. Thsi
way every page in your app has access to your custom Principal.
So at the top of each page you can write code like:
If Not MyUser.IsInRole("Admin") Then
'Redirect to Home page
End If

HTH

PS - Rocky Lhotka's CSLA Framework explains this all in great detail.
Excellent book too.
http://www.lhotka.net/ArticleIndex.aspx?area=CSLA .NET
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

What language should I learn to create an authentication website? 2
Forms Authentication / Role based security 1
.NET Framework security questions 0
asp.net windows authentication 3
security... 0
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 1
role-based security and ActiveDirectory 18
SAP Security Administrator 0

Members online

Total: 42 (members: 2, guests: 40)
Robots: 110

Forum statistics

Threads
473,772
Messages
2,569,593
Members
45,113
Latest member
Vinay KumarNevatia

Latest Threads

Top