prog 11044 advanced web applications with.net prog 11044 advanced web applications with.net user...
TRANSCRIPT
PROG 11044
Advanced Web Applications
With .NET
PROG 11044
Advanced Web Applications
With .NET
User Authentication & Authorization
04/20/23 Wendi Jollymore, ACES 2
User AuthenticationUser Authentication
Can be used on web sites for:Saving user preferences
E.g. skins, colours
Limiting access to pages or dataE.g. “members only”, co-authors of a blog
Protect sensitive informationE.g. users who shop at your site may store their credit card and other account info
04/20/23 Wendi Jollymore, ACES 3
Authentication / AuthorizationAuthentication / Authorization
AuthenticationDetermining a user’s identityHow you validate the identity with some authority or sourceCredentials = user’s informationOccurs before you authorize a user
AuthorizationDetermining if authenticated user has access to a resource, application, etc.Occurs after authentication
A user can be authenticated but not authorized to have access to a specific resource.
A user can be authenticated but not authorized to have access to a specific resource.
04/20/23 Wendi Jollymore, ACES 4
Types of AuthenticationTypes of Authentication
There are three types of authentication you can use in ASP.NET:
WindowsPassport Forms
04/20/23 Wendi Jollymore, ACES 5
Types of AuthenticationTypes of Authentication
Windows AuthenticationUsed with IIS Authenticates users based on their Windows accounts
you would need to have the permissions to create and modify individual Windows user accounts.
Use this only for local applications.
04/20/23 Wendi Jollymore, ACES 6
Types of AuthenticationTypes of Authentication
Passport AuthenticationUses the authentication service provided by Microsoft
"Microsoft Passport"
Your site might be registered with and be a member of the Microsoft Passport service. Users would not only have access to your page; they would be members of other sites also, using the same account information. You would be dependent on the Microsoft Passport service for user accounts.
04/20/23 Wendi Jollymore, ACES 7
Types of AuthenticationTypes of Authentication
Forms AuthenticationHTML form collects credentials from userWrite the code to authenticate the credentials
Can use a cookie to maintain the authentication information
allows user to "stay logged in" while they browse around your site. You can decide how to maintain user information (i.e. a Users table in a database?)
04/20/23 Wendi Jollymore, ACES 8
Types of AuthenticationTypes of Authentication
Forms Authentication would be the preferable method
Allows you the most flexibilityYou can design your own form to capture the credentialsYou can write your own authentication code
04/20/23 Wendi Jollymore, ACES 9
How Forms Authentication WorksHow Forms Authentication Works
Unauthenticated users visiting any page are redirected to Login pageCookie created and stored when user is authenticatedAuthenticated users can be granted or denied access to resourcesUnauthenticated users are default IUSR_Anonymous
04/20/23 Wendi Jollymore, ACES 10
Passwords & EncryptionPasswords & Encryption
This is a huge topic, so this is just a simplificationPasswords should not be stored as plain text in a table
They also should not be “compared” using plain textE.g. if (password.equals(“whatever”))
Passwords should be stored/compared using encrypted values
04/20/23 Wendi Jollymore, ACES 11
One-Way vs. Two-Way One-Way vs. Two-Way EncryptionEncryption
One-Way Encryption
A piece of text is encryptedEncrypted value is stored somewhereNot decryptedA person enters plain text which is encrypted and both encrypted values are compared
Two-Way Encryption
A piece of text is encryptedEncrypted value is decrypted by the person receiving or processing the sensitive dataCommon when sending documents
04/20/23 Wendi Jollymore, ACES 12
Passwords & EncryptionPasswords & Encryption
One-Way Encryption is very useful for passwords
User enters a passwordProgram encrypts passwordProgram looks up encrypted password value in a tableBoth encrypted values are comparedIf they match, success!
Also called hashing or irreversible encryption
04/20/23 Wendi Jollymore, ACES 13
Passwords & EncryptionPasswords & Encryption
Disadvantage of One-Way encryption
Can’t decrypt the encrypted valueCan be hard to retrieve a lost passwordIdeas:
Reset password to something temporary and email it to the user. Send them a URL that allows them to save a new password.
04/20/23 Wendi Jollymore, ACES 14
Encryption AlgorithmsEncryption Algorithms
Some popular one-way encryption algorithms:
MD5 (Message Digest algorithm 5)128-bit hash code; somewhat secure; somewhat efficient
SHA-1 (Secure Hash Algorithm)160-bit hash code; somewhat secure, somewhat efficient
SHA-2Refers to a collection of algorithms that are more secure than SHA-1
04/20/23 Wendi Jollymore, ACES 15
Encryption AlgorithmsEncryption Algorithms
Continued…SHA-2 consist of SHA256, SHA384, SHA512
These are 256-, 384-, and 512-bit hash codesSHA256 and SHA384 as secure as SHA-1 or MD5, but a lot slowerSHA512 is extremely secure, but extremely slow
04/20/23 Wendi Jollymore, ACES 16
Encryption AlgorithmsEncryption Algorithms
RIPEMD-160 Stands for RACE Integrity Primitives Evaluation Message Digest
RACE stands for Research and Development in Advanced Communications Technologies in Europe
160-bit hash code based on MD4 (precursor to MD5)
04/20/23 Wendi Jollymore, ACES 17
Authentication in ASP.NETAuthentication in ASP.NET
Create a Users table in your KaluhaBooks database:
See the table description in the notesADO.Net/Authentication & Authorization
We’ll be using MD5 encryption128-bit hash codePassword field in Users table has to be binary type, 16 bytes
Create a new Web Project
04/20/23 Wendi Jollymore, ACES 18
Authentication in ASP.NETAuthentication in ASP.NET
Add a Web.config fileAdd a connection string elementIn your web.config file, you can define how your application should handle authentication and authorization
In our example, we will redirect unauthenticated users to a Login/Registration page
04/20/23 Wendi Jollymore, ACES 19
Authentication in ASP.NETAuthentication in ASP.NET
<authentication> element in web.config:
Inside the <system.web> element
One attribute:mode=“Forms/Passport/Windows/None”
This indicates what mode of authentication your app should use
None means no authentication or some form of custom authentication
04/20/23 Wendi Jollymore, ACES 20
Authentication in ASP.NETAuthentication in ASP.NET
<configuration>
<system.web>
<authentication mode="Forms">
</authentication> </system.web>
</configuration>
04/20/23 Wendi Jollymore, ACES 21
Authentication in ASP.NETAuthentication in ASP.NET
<forms> element in web.config:Inside the <authentication> element
Defines how forms authentication will work in your application
name attribute:The name of the cookie that will be placed on the authenticated user’s machine
loginUrl attribute:The URL of the login pageWhere unauthenticated users will automatically be redirected
04/20/23 Wendi Jollymore, ACES 22
Authentication in ASP.NETAuthentication in ASP.NET
<authentication mode= "Forms">
<forms name=".MYFIRSTAUTH"
loginUrl="login.aspx" />
</authentication>
04/20/23 Wendi Jollymore, ACES 23
Authentication in ASP.NETAuthentication in ASP.NET
Other attributes you can use in the <forms> element:
timeout=“60”The amount of time measured in minutes when the cookie will expire. The default value is 30.
path=“/”The path where the cookie is created. The default value is "/", which is fine to use at this point.
04/20/23 Wendi Jollymore, ACES 24
Authentication in ASP.NETAuthentication in ASP.NETContinued…
Protection=“None/Encryption/ Validation/All”How the cookie data is protected. Possible values include:
None: stored in plain-text format; not recommended Encryption: Encrypts the cookie information in either the TripleDES or DES (Data Encryption Standard) encryption formats. Validation: No encryption used, but the information within the cookie is validated to determine if the information was altered between requests. All: Utilize both validation and encryption to protect the cookie data
04/20/23 Wendi Jollymore, ACES 25
Authentication in ASP.NETAuthentication in ASP.NET
<authorization> element in web.config:
Inside <system.web> elementDefines which authenticated and unauthenticated users have access to which resources (e.g. pages)Can contain two elements:
<deny users=“”><allow users=“”>
04/20/23 Wendi Jollymore, ACES 26
Authentication in ASP.NETAuthentication in ASP.NET
<deny> and <allow> elementsDefine authorization rules
which users should be denied or allowed access to pages
Possible values for the users attribute:* = all users? = anonymous users
IUSR_Anonymous
Any name of a specific user or roleMultiple users/roles separated by commas
04/20/23 Wendi Jollymore, ACES 27
Authentication in ASP.NETAuthentication in ASP.NET
<authorization> <deny users="?" /> </authorization>
This authorization rule denies access to all anonymous users.They will automatically be redirected to our login/registration page.
04/20/23 Wendi Jollymore, ACES 28
ExerciseExercise
Once you’ve updated your web.config file:
Add some stuff to the main page of your project
Anything you want – headings, images, text, whateverThis will be our “home page” for our site
Add a second web form to your projectCall it “login.aspx”The same value in your loginUrl attribute in the <forms> element
04/20/23 Wendi Jollymore, ACES 29
The Login ControlThe Login Control
ASP.NET 2.0 has a new set of Login controls!
The Login control contains all the elements you need to allow user logins
04/20/23 Wendi Jollymore, ACES 30
The Login Control - PropertiesThe Login Control - Properties
CreateUserUrl the URL or page name (if in the same folder) of a registration page
CreateUserText is the text that will appear as a link below the login/password fieldsWhen clicked, it will take the user to the registration page as defined in CreateUserUrl.
04/20/23 Wendi Jollymore, ACES 31
The Login Control - PropertiesThe Login Control - Properties
DestinationPageUrl URL where user is directed after successful login
DisplayRememberMe (true/false)Displays a check box that the user can check if they want to stay logged in beyond the normal timeout period. If checked by user, sets a persistent cookie is so they don't have to be re-authenticated each time they come to your site. You can change the expiry date of this cookie in your code.
04/20/23 Wendi Jollymore, ACES 32
The Login Control - PropertiesThe Login Control - Properties
FailureAction, FailureText What should happen if authentication fails. "Refresh“ (default)
entire page will refresh, displaying the value of FailureText property.
“RedirectToLoginPage”user will be sent back to the login page, as defined in the web.config file.
04/20/23 Wendi Jollymore, ACES 33
The Login Control - PropertiesThe Login Control - Properties
InstructionText Any instructions you'd like displayed to the user.
LoginButtonType Type of Login button you'd like (Button, Link, Image).
LoginButtonText If LoginButtonType is Button or Link, defines what text appears on the button/link.
LoginButtonImageUrl If LoginButtonType is set to ImageContains the location of the image.
04/20/23 Wendi Jollymore, ACES 34
The Login Control - PropertiesThe Login Control - Properties
OrientationAlignment of controls
PasswordLabelText Text that appears in label in front of password field
PasswordRequiredErrorMessageError message that is displayed for the required field validator associated with the password field.
04/20/23 Wendi Jollymore, ACES 35
The Login Control - PropertiesThe Login Control - Properties
RememberMeSetDefault value of the Remember Me check box
RememberMeText Text that appears in front of the Remember Me check box.
TitleText The title that appears along the top of your login control.
04/20/23 Wendi Jollymore, ACES 36
The Login Control - PropertiesThe Login Control - Properties
UserNameDefault user name in User Name field
UserNameLabelTextText that appears in label in front of user name field
UserNameRequiredErrorMessageError message displayed for the required field validator associated with the user name field.
04/20/23 Wendi Jollymore, ACES 37
The Login Control - EventsThe Login Control - Events
Authenticate()Triggered when the user presses the Login button on the Login controlYou can write code to hash the password entered and compare to database value
04/20/23 Wendi Jollymore, ACES 38
ExerciseExercise
Create the Login.aspx page according to the instructions/tutorial in the notes:
ADO.NET, Authentication & Authorization“Creating a Login/Registration Page”
You’ve done Steps 1 and 2 alreadyStart with Step 3
04/20/23 Wendi Jollymore, ACES 39
More Useful Classes/MethodsMore Useful Classes/Methods
MD5CyptoServiceProvider classIn the System.Security.Cryptography namespacePerforms one-way MD5 encryptionComputeHash() method
Accepts an array of bytes[] as the value to encryptReturns an array of bytes[] as the encrypted value
04/20/23 Wendi Jollymore, ACES 40
More Useful Classes/MethodsMore Useful Classes/Methods
UTF8Encoding classIn the System.Text namespaceUsed to encode Unicode charactersGetBytes(string) method
Takes the string and returns it as an array of bytes[]
04/20/23 Wendi Jollymore, ACES 41
More Useful Classes/MethodsMore Useful Classes/Methods
FormsAuthentication classIn the System.Web.Security namespaceHandles forms authentication services and utilitiesRedirectFromLoginPage(username, persist)
Redirects authenticated user back to the original page they requested and creates the cookieusername = string to identify the “authentication ticket”persist = boolean value: whether or not cookie lives across multiple sessionsOptional third string argument = alternate URL where authenticated user should be sent
04/20/23 Wendi Jollymore, ACES 42
ExerciseExercise
Complete the tasks under the “Registering Users” sectionWhen completed, make sure it worksMake sure you have a couple of good user/passwords in your table so we can code the login section
04/20/23 Wendi Jollymore, ACES 43
ExerciseExercise
Complete the tasks under the “Validating Users” sectionWhen completed, make sure it works:
Try logging in with valid and invalid logins/passwords!