ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

transcript

ASP.NET 2.0

Chapter 6Securing the ASP.NET Application

Objectives

ASP.NET 2.0, Third Edition 2

Building Information Management Security Policies

• Security needs to be at the forefront when designing a web application– The internet is widely accessible and there is always

going to be people attempting to get secured information

– Challenges to security include the constant changes in operating systems and software

• Privacy and security are tied together– Breaches in web security are linked to consumer distrust– It’s important to have a company-wide policy about the

privacy of their customer’s information

Security Policies• Hackers use multiple methods to get private data, including cross-

site scripting• Companies should have their privacy and security policies on their

web site with a third party providing security checks• Consider the Windows Security Model

– Web application and web server security protects access to web resources, and Windows security protects access to file system resources

• Web applications that integrate other applications, such as a database, will have additional layers of security

Privacy Policies

• A privacy policy is often used to inform the user about the type of information being collected and about what is being done with that information– The privacy policy is shown on the web page or as

a pop-up to the user before accessing the site• Platform for Privacy Preferences (P3P)

standards provide a way for browsers to obtain the privacy policy for any particular web site

Passing Valid Data from a Web Form

• Form fields pass data that is received as a string• When data is received in the intended format, it is

called valid data• Valid data or the lack thereof can become important

because this data is often inserted into databases, used by other applications, or misused by hackers to gain access to you web server

• Validation controls are used to validate the format of the data

• Regular Expressions are used to validate custom data formats

Understanding Validation Controls

Understanding Validation Controls (continued)

Building Regular Expressions

Building Regular Expressions (continued)

Validating Form Data with Validation Controls

5/19/08 Start

Maintaining State

• Web developers need to be able to identify the user with each subsequent page visited

• Keeping track of information about users as they are visiting a site is called maintain state

• There are three methods to maintain state– Client-side cookies– HTTP cookies– Without HTTP cookies

Maintaining State with Client-Side Cookies

Maintaining State with Client-Side Cookies (continued)

Other Ways

• Hidden fields• URL Encoding

CBS 19

Storing Session Data

• Companies use web servers networked together to create a web farm– In a web farm, load balancing servers will redistribute

the clients based on the workload of the servers• Some companies expand their web sites across

multiple computer processing units (CPUs), within a single physical server called a web garden

• User information is retrieved by HTTP headers using the ServerVariables collection and some are retrieved from the properties of the Session object

Storing and Retrieving Session Data

Storing Session Data

Storing Session Data (continued)

Application Configuration

• A web application is a group of files and folders (including virtual folders) located under the web application’s root directory

• You can maintain information across the entire web application with the Application object, which stores the application variables in the server’s memory

• The web server can be configured by using the property pages within the Microsoft Management Console (MMC) application, in the ASP.Net web configuration files, or in the Web Site Administration Tool (WSAT)

Viewing and Understanding the Web Server Property Sheets

Viewing and Understanding the Web Server Property Sheets (continued)

Understanding Application Configuration Files

Understanding Application Configuration Files (continued)

Membership Services

• Two main principles of security are authentication and authorization– Authentication is the process of validating the

identity of the request– Authorization is the process of ensuring that you can

only access the resources made available to you by the system administrators

• The Windows NTFS file system allows you to set permissions on individual files and folders using an access control list (ACL)

Implementing Authorization

Authenticating Users with Forms Authentication

• Forms authentication is a cookie-based authentication method

• Every packet of information over the web is sent with a host header, which contains information about the sender and the request

• ASP.net determines if a FormsAuthentication cookie is present in the header packet– If the cookie is not present, the user is redirected

to the login pageASP.NET 2.0, Third Edition 38

Implementing Authentication

• The authentication method is configured in the authentication element in the web configuration file.

• The mode attribute is assigned to one of the authentication methods:– None (no authentication required)– Anonymous authentication– Basic authentication– Windows authentication

Using Web Controls to Maintain Security

• There are several built-in Web controls that can be used to maintain security within your web application, which include:– Login Control– Password Recovery Control– Login Status Control

Summary• Validation controls are a form of ASP.NET controls that allow you to assign

validation rules to other controls. You can build custom validation rules to validate your form fields, or use one of the standard Validation controls with a custom Regular Expression.

• A cookie can be used to maintain information across multiple sessions for a specific user. A cookie is a text file that is stored on the client’s computer. Your web sites should educate and inform users about the use of cookies, and about how the cookie affects their computer system. A cookie is passed in the HTTP header with the other HTTP server variables.

• The SessionID property is assigned by the server, and provides a way to identify the client during the user session. Sessions require the user to support HTTP cookies.

Summary (continued)• You can store session data within the web server process, the State

Server, or a SQL Server database. State Server is a Windows service that must be turned on before session data can be stored in the State Server. If the web server crashes, any session data within the State Server or SQL Server persists.

• A web application is a group of files and folders. The IIS web server software configures the web application using the MMC with the WSAT, or you can configure it via the web application configuration files.

• The web.config file configures the web application. The machine.config file maintains information that is used across .NET applications.

• Authentication is the process of validating the identity of the request. Authorization is the process of validating the user access privileges to the resources. You can configure forms authentication in the web.config file.

Summary (continued)• Authorization within an ASP.NET application is conducted via the

web.config file, WSAT, or via the Windows NTFS permissions.

• You can configure web applications to support various types of authentication. Anonymous authentication means that the user does not have to log in with a special account. The Internet Guest Account represents the client. Basic authentication sends the login data as clear text. Windows authentication allows the user to log in without sending his or her login over the Internet. Forms authentication is a new technique in ASP.NET to protect the web application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Documents