In our daily work there is not even a single day when we don’t check our Facebook, Twitter, Gmail account etc. But have we ever thought about the security of all these web pages that we see. In my last blog, I had mentioned about the different types of threats that can attack your web application. Now, let’s see, how we can protect our web application from those threats.
Now, if you are developing an ASP.NET web application there are two major security functions that should be performed.
Authentication helps to verify who is the user that is accessing the web page. For this the application asks the user to give his credentials like the user name and password for accessing the website. When the credentials are authenticated, he can use the website. It’s just like, to get into your house you need to use the right key, if not you will not be able to enter your home. There are three ways to authenticate, windows authentication, forms authentication and passport authentication.
Authorization specifies, if the user that has logged in has the rights to access certain features in the site. For example, I could say about the restriction to switch on the gas in the kitchen, if you are a kid.
The main point that we must note is, authorization always comes after the authentication has been done.
Nowadays we see different websites in which the application asks to register and become their member to access other services. By doing this, we actually limit the amount of threats that affects the website.
How does it work?
Let us see the scenario in which, the user gets authenticated to access an application
Forms authentication mode
First the user or client sends a request to the IIS for access to a resource. If the user is authenticated by the IIS, then the request is passed to the ASP.NET application.
Now, the ASP.NET authentication takes place and checks if the request consists of a cookie containing information of the user like user name.
If it is not present then, the user is redirected to the login page where the user enters his credentials. The login credentials are then authenticated by the application logic. If it is a success then a cookie that contains user name is attached along with the request.
The cookie is then validated using the message authentication check.
After the cookie is validated and if the user is authorized, the requested protected resource is made available to the user, else it will be sent to the login page or access denied page.
Now, let us see a way to configure the web application for forms authentication:
First, you need to add a Web.Config file to your project. Add the <authentication> element and assign the mode to forms.
<authentication mode= “Forms”> <forms> Here we can write link to our login page. </forms> </authentication>
The mode can be of type windows, forms, passport or none. The default setting is windows, so for using forms authentication, we should change the mode to “forms”.
Now, inside this tag, we can write the loginurl and the default URL to restrict the user going into any other pages without getting authenticated. The loginUrl is normally the login page URL in which the user must enter his login credentials.
Now, the second way of authentication is the windows mode.
Here, the authentication in done with the combination of Microsoft Internet Information Services (IIS) authentication. There are three ways in which authentication is done in IIS: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access.
This is the kind of authentication method that is used, when one wants minimal ASP.NET code for authentication. Here, the impersonation scheme is used, which provides many authentication methods that have to been performed by the IIS earlier. These authentication methods can be used for authenticating before the request is passed to the application.
For using the windows authentication mode include the following code in the web.config file.
<authentication mode= “windows”> <identity impersonate= “true”/> </authentication>
Passport Authentication Mode:
This is a centralized authentication service that is provided by Microsoft that provides single log on and core profile services for member sites. The advantage of using this is that the user need not log on to access the protected resource. Passport is a cookie based authentication service.
Here, when the client issues a request, the client’s cookies are examined for passport authentication ticket. If the credentials are valid the client gets authenticated. If the request does not contain a passport authentication ticket, the client is redirected to the passport log in service. The passport service gives the log in form page to the client. The client fills up the form and posts to the log in server using SSL (Secure Socket Layer). The log in server authenticates the user and redirects client to the protected resource page along with the encrypted passport cookie in the query string. The client follows the redirect and requests the original protected resource again with the passport cookie. This time in the originating sever, the passport authentication module detects the passport cookie and tests for authentication. If it is successful, the request is authenticated.
As the authentication is done, the user is authorized so that he can use resources available exclusively for his role. To make a user authorized, we must add authorization element under the authentication. This allows all authenticated users to access your web site.
<authorization> <deny users="" /> <allow users="*" /> </authorization>
In the above code, all the users are allowed except for anonymous users. Anonymous users can be specified using “?” and all users can be specified using a “*”. If you place a list of users and/or roles in the <allow> or <deny> elements of the <authorization> section of a configuration file, you are using the URL authorization for authorizing users.
Another way of performing authorization is through file authorization. This is enabled only when you use windows authentication.
So using the above mentioned ways you can provide better security to your web application. But there are other security measures as well which we should take care of while developing application. A well designed and developed application or web site will solve most of the security problems.
Got a question for us? Mention them in the comments section and we will get back to you.