prog 11044 advanced web applications with.net prog 11044 advanced web applications with.net user...

PROG 11044

Advanced Web Applications

With .NET

PROG 11044

Advanced Web Applications

With .NET

User Authentication & Authorization

04/20/23 Wendi Jollymore, ACES 2

User AuthenticationUser Authentication

Can be used on web sites for:Saving user preferences

E.g. skins, colours

Limiting access to pages or dataE.g. “members only”, co-authors of a blog

Protect sensitive informationE.g. users who shop at your site may store their credit card and other account info


Authentication / AuthorizationAuthentication / Authorization

AuthenticationDetermining a user’s identityHow you validate the identity with some authority or sourceCredentials = user’s informationOccurs before you authorize a user

AuthorizationDetermining if authenticated user has access to a resource, application, etc.Occurs after authentication

A user can be authenticated but not authorized to have access to a specific resource.

A user can be authenticated but not authorized to have access to a specific resource.


Types of AuthenticationTypes of Authentication

There are three types of authentication you can use in ASP.NET:

WindowsPassport Forms



Windows AuthenticationUsed with IIS Authenticates users based on their Windows accounts

you would need to have the permissions to create and modify individual Windows user accounts.

Use this only for local applications.



Passport AuthenticationUses the authentication service provided by Microsoft

"Microsoft Passport"

Your site might be registered with and be a member of the Microsoft Passport service. Users would not only have access to your page; they would be members of other sites also, using the same account information. You would be dependent on the Microsoft Passport service for user accounts.



Forms AuthenticationHTML form collects credentials from userWrite the code to authenticate the credentials

Can use a cookie to maintain the authentication information

allows user to "stay logged in" while they browse around your site. You can decide how to maintain user information (i.e. a Users table in a database?)



Forms Authentication would be the preferable method

Allows you the most flexibilityYou can design your own form to capture the credentialsYou can write your own authentication code


How Forms Authentication WorksHow Forms Authentication Works

Unauthenticated users visiting any page are redirected to Login pageCookie created and stored when user is authenticatedAuthenticated users can be granted or denied access to resourcesUnauthenticated users are default IUSR_Anonymous


Passwords & EncryptionPasswords & Encryption

This is a huge topic, so this is just a simplificationPasswords should not be stored as plain text in a table

They also should not be “compared” using plain textE.g. if (password.equals(“whatever”))

Passwords should be stored/compared using encrypted values


One-Way vs. Two-Way One-Way vs. Two-Way EncryptionEncryption

One-Way Encryption

A piece of text is encryptedEncrypted value is stored somewhereNot decryptedA person enters plain text which is encrypted and both encrypted values are compared

Two-Way Encryption

A piece of text is encryptedEncrypted value is decrypted by the person receiving or processing the sensitive dataCommon when sending documents



One-Way Encryption is very useful for passwords

User enters a passwordProgram encrypts passwordProgram looks up encrypted password value in a tableBoth encrypted values are comparedIf they match, success!

Also called hashing or irreversible encryption



Disadvantage of One-Way encryption

Can’t decrypt the encrypted valueCan be hard to retrieve a lost passwordIdeas:

Reset password to something temporary and email it to the user. Send them a URL that allows them to save a new password.


Encryption AlgorithmsEncryption Algorithms

Some popular one-way encryption algorithms:

MD5 (Message Digest algorithm 5)128-bit hash code; somewhat secure; somewhat efficient

SHA-1 (Secure Hash Algorithm)160-bit hash code; somewhat secure, somewhat efficient

SHA-2Refers to a collection of algorithms that are more secure than SHA-1



Continued…SHA-2 consist of SHA256, SHA384, SHA512

These are 256-, 384-, and 512-bit hash codesSHA256 and SHA384 as secure as SHA-1 or MD5, but a lot slowerSHA512 is extremely secure, but extremely slow



RIPEMD-160 Stands for RACE Integrity Primitives Evaluation Message Digest

RACE stands for Research and Development in Advanced Communications Technologies in Europe

160-bit hash code based on MD4 (precursor to MD5)


Authentication in ASP.NETAuthentication in ASP.NET

Create a Users table in your KaluhaBooks database:

See the table description in the notesADO.Net/Authentication & Authorization

We’ll be using MD5 encryption128-bit hash codePassword field in Users table has to be binary type, 16 bytes

Create a new Web Project



Add a Web.config fileAdd a connection string elementIn your web.config file, you can define how your application should handle authentication and authorization

In our example, we will redirect unauthenticated users to a Login/Registration page



<authentication> element in web.config:

Inside the <system.web> element

One attribute:mode=“Forms/Passport/Windows/None”

This indicates what mode of authentication your app should use

None means no authentication or some form of custom authentication



<forms> element in web.config:Inside the <authentication> element

Defines how forms authentication will work in your application

name attribute:The name of the cookie that will be placed on the authenticated user’s machine

loginUrl attribute:The URL of the login pageWhere unauthenticated users will automatically be redirected



Other attributes you can use in the <forms> element:

timeout=“60”The amount of time measured in minutes when the cookie will expire. The default value is 30.

path=“/”The path where the cookie is created. The default value is "/", which is fine to use at this point.


Authentication in ASP.NETAuthentication in ASP.NETContinued…

Protection=“None/Encryption/ Validation/All”How the cookie data is protected. Possible values include:

None: stored in plain-text format; not recommended Encryption: Encrypts the cookie information in either the TripleDES or DES (Data Encryption Standard) encryption formats. Validation: No encryption used, but the information within the cookie is validated to determine if the information was altered between requests. All: Utilize both validation and encryption to protect the cookie data



<authorization> element in web.config:

Inside <system.web> elementDefines which authenticated and unauthenticated users have access to which resources (e.g. pages)Can contain two elements:

<deny users=“”><allow users=“”>



<deny> and <allow> elementsDefine authorization rules

which users should be denied or allowed access to pages

Possible values for the users attribute:* = all users? = anonymous users

IUSR_Anonymous

Any name of a specific user or roleMultiple users/roles separated by commas



<authorization> <deny users="?" /> </authorization>

This authorization rule denies access to all anonymous users.They will automatically be redirected to our login/registration page.


ExerciseExercise

Once you’ve updated your web.config file:

Add some stuff to the main page of your project

Anything you want – headings, images, text, whateverThis will be our “home page” for our site

Add a second web form to your projectCall it “login.aspx”The same value in your loginUrl attribute in the <forms> element


The Login ControlThe Login Control

ASP.NET 2.0 has a new set of Login controls!

The Login control contains all the elements you need to allow user logins


The Login Control - PropertiesThe Login Control - Properties

CreateUserUrl the URL or page name (if in the same folder) of a registration page

CreateUserText is the text that will appear as a link below the login/password fieldsWhen clicked, it will take the user to the registration page as defined in CreateUserUrl.



DestinationPageUrl URL where user is directed after successful login

DisplayRememberMe (true/false)Displays a check box that the user can check if they want to stay logged in beyond the normal timeout period. If checked by user, sets a persistent cookie is so they don't have to be re-authenticated each time they come to your site. You can change the expiry date of this cookie in your code.



FailureAction, FailureText What should happen if authentication fails. "Refresh“ (default)

entire page will refresh, displaying the value of FailureText property.

“RedirectToLoginPage”user will be sent back to the login page, as defined in the web.config file.



InstructionText Any instructions you'd like displayed to the user.

LoginButtonType Type of Login button you'd like (Button, Link, Image).

LoginButtonText If LoginButtonType is Button or Link, defines what text appears on the button/link.

LoginButtonImageUrl If LoginButtonType is set to ImageContains the location of the image.



OrientationAlignment of controls

PasswordLabelText Text that appears in label in front of password field

PasswordRequiredErrorMessageError message that is displayed for the required field validator associated with the password field.



RememberMeSetDefault value of the Remember Me check box

RememberMeText Text that appears in front of the Remember Me check box.

TitleText The title that appears along the top of your login control.



UserNameDefault user name in User Name field

UserNameLabelTextText that appears in label in front of user name field

UserNameRequiredErrorMessageError message displayed for the required field validator associated with the user name field.


The Login Control - EventsThe Login Control - Events

Authenticate()Triggered when the user presses the Login button on the Login controlYou can write code to hash the password entered and compare to database value


ExerciseExercise

Create the Login.aspx page according to the instructions/tutorial in the notes:

ADO.NET, Authentication & Authorization“Creating a Login/Registration Page”

You’ve done Steps 1 and 2 alreadyStart with Step 3


More Useful Classes/MethodsMore Useful Classes/Methods

MD5CyptoServiceProvider classIn the System.Security.Cryptography namespacePerforms one-way MD5 encryptionComputeHash() method

Accepts an array of bytes[] as the value to encryptReturns an array of bytes[] as the encrypted value



UTF8Encoding classIn the System.Text namespaceUsed to encode Unicode charactersGetBytes(string) method

Takes the string and returns it as an array of bytes[]



FormsAuthentication classIn the System.Web.Security namespaceHandles forms authentication services and utilitiesRedirectFromLoginPage(username, persist)

Redirects authenticated user back to the original page they requested and creates the cookieusername = string to identify the “authentication ticket”persist = boolean value: whether or not cookie lives across multiple sessionsOptional third string argument = alternate URL where authenticated user should be sent


ExerciseExercise

Complete the tasks under the “Registering Users” sectionWhen completed, make sure it worksMake sure you have a couple of good user/passwords in your table so we can code the login section


ExerciseExercise

Complete the tasks under the “Validating Users” sectionWhen completed, make sure it works:

Try logging in with valid and invalid logins/passwords!

prog 11044 advanced web applications with.net prog 11044 advanced web applications with.net user...

Documents

anonymouswendi jollymore

account infowendi jollymore

user information

authentication service

resourcesunauthenticated

users identityhow

users informationoccurs

users table