1 / 43

ASP.NET 2.0

ASP.NET 2.0. Chapter 6 Securing the ASP.NET Application. Objectives. Building Information Management Security Policies. Security needs to be at the forefront when designing a web application

oma
Download Presentation

ASP.NET 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application

  2. Objectives ASP.NET 2.0, Third Edition

  3. Building Information Management Security Policies • Security needs to be at the forefront when designing a web application • The internet is widely accessible and there is always going to be people attempting to get secured information • Challenges to security include the constant changes in operating systems and software • Privacy and security are tied together • Breaches in web security are linked to consumer distrust • It’s important to have a company-wide policy about the privacy of their customer’s information ASP.NET 2.0, Third Edition

  4. Security Policies • Hackers use multiple methods to get private data, including cross-site scripting • Companies should have their privacy and security policies on their web site with a third party providing security checks • Consider the Windows Security Model • Web application and web server security protects access to web resources, and Windows security protects access to file system resources • Web applications that integrate other applications, such as a database, will have additional layers of security ASP.NET 2.0, Third Edition

  5. Privacy Policies • A privacy policy is often used to inform the user about the type of information being collected and about what is being done with that information • The privacy policy is shown on the web page or as a pop-up to the user before accessing the site • Platform for Privacy Preferences (P3P) standards provide a way for browsers to obtain the privacy policy for any particular web site ASP.NET 2.0, Third Edition

  6. Passing Valid Data from a Web Form • Form fields pass data that is received as a string • When data is received in the intended format, it is called valid data • Valid data or the lack thereof can become important because this data is often inserted into databases, used by other applications, or misused by hackers to gain access to you web server • Validation controls are used to validate the format of the data • Regular Expressions are used to validate custom data formats ASP.NET 2.0, Third Edition

  7. Understanding Validation Controls ASP.NET 2.0, Third Edition

  8. Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition

  9. Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition

  10. Understanding Validation Controls (continued) ASP.NET 2.0, Third Edition

  11. Building Regular Expressions ASP.NET 2.0, Third Edition

  12. Building Regular Expressions (continued) ASP.NET 2.0, Third Edition

  13. Validating Form Data with Validation Controls ASP.NET 2.0, Third Edition

  14. 5/19/08 Start ASP.NET 2.0, Third Edition

  15. Maintaining State • Web developers need to be able to identify the user with each subsequent page visited • Keeping track of information about users as they are visiting a site is called maintain state • There are three methods to maintain state • Client-side cookies • HTTP cookies • Without HTTP cookies ASP.NET 2.0, Third Edition

  16. Maintaining State with Client-Side Cookies ASP.NET 2.0, Third Edition

  17. Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition

  18. Maintaining State with Client-Side Cookies (continued) ASP.NET 2.0, Third Edition

  19. Other Ways • Hidden fields • URL Encoding CBS

  20. Storing Session Data • Companies use web servers networked together to create a web farm • In a web farm, load balancing servers will redistribute the clients based on the workload of the servers • Some companies expand their web sites across multiple computer processing units (CPUs), within a single physical server called a web garden • User information is retrieved by HTTP headers using the ServerVariables collection and some are retrieved from the properties of the Session object ASP.NET 2.0, Third Edition

  21. Storing and Retrieving Session Data ASP.NET 2.0, Third Edition

  22. Storing Session Data ASP.NET 2.0, Third Edition

  23. Storing Session Data (continued) ASP.NET 2.0, Third Edition

  24. Storing Session Data (continued) ASP.NET 2.0, Third Edition

  25. Application Configuration • A web application is a group of files and folders (including virtual folders) located under the web application’s root directory • You can maintain information across the entire web application with the Application object, which stores the application variables in the server’s memory • The web server can be configured by using the property pages within the Microsoft Management Console (MMC) application, in the ASP.Net web configuration files, or in the Web Site Administration Tool (WSAT) ASP.NET 2.0, Third Edition

  26. Viewing and Understanding the Web Server Property Sheets ASP.NET 2.0, Third Edition

  27. Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition

  28. Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition

  29. Viewing and Understanding the Web Server Property Sheets (continued) ASP.NET 2.0, Third Edition

  30. Understanding Application Configuration Files ASP.NET 2.0, Third Edition

  31. Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition

  32. Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition

  33. Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition

  34. Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition

  35. Understanding Application Configuration Files (continued) ASP.NET 2.0, Third Edition

  36. Membership Services • Two main principles of security are authentication and authorization • Authentication is the process of validating the identity of the request • Authorization is the process of ensuring that you can only access the resources made available to you by the system administrators • The Windows NTFS file system allows you to set permissions on individual files and folders using an access control list (ACL) ASP.NET 2.0, Third Edition

  37. Implementing Authorization ASP.NET 2.0, Third Edition

  38. Authenticating Users with Forms Authentication • Forms authentication is a cookie-based authentication method • Every packet of information over the web is sent with a host header, which contains information about the sender and the request • ASP.net determines if a FormsAuthentication cookie is present in the header packet • If the cookie is not present, the user is redirected to the login page ASP.NET 2.0, Third Edition

  39. Implementing Authentication • The authentication method is configured in the authentication element in the web configuration file. • The mode attribute is assigned to one of the authentication methods: • None (no authentication required) • Anonymous authentication • Basic authentication • Windows authentication ASP.NET 2.0, Third Edition

  40. Using Web Controls to Maintain Security • There are several built-in Web controls that can be used to maintain security within your web application, which include: • Login Control • Password Recovery Control • Login Status Control ASP.NET 2.0, Third Edition

  41. Summary • Validation controls are a form of ASP.NET controls that allow you to assign validation rules to other controls. You can build custom validation rules to validate your form fields, or use one of the standard Validation controls with a custom Regular Expression. • A cookie can be used to maintain information across multiple sessions for a specific user. A cookie is a text file that is stored on the client’s computer. Your web sites should educate and inform users about the use of cookies, and about how the cookie affects their computer system. A cookie is passed in the HTTP header with the other HTTP server variables. • The SessionID property is assigned by the server, and provides a way to identify the client during the user session. Sessions require the user to support HTTP cookies. ASP.NET 2.0, Third Edition

  42. Summary (continued) • You can store session data within the web server process, the State Server, or a SQL Server database. State Server is a Windows service that must be turned on before session data can be stored in the State Server. If the web server crashes, any session data within the State Server or SQL Server persists. • A web application is a group of files and folders. The IIS web server software configures the web application using the MMC with the WSAT, or you can configure it via the web application configuration files. • The web.config file configures the web application. The machine.config file maintains information that is used across .NET applications. • Authentication is the process of validating the identity of the request. Authorization is the process of validating the user access privileges to the resources. You can configure forms authentication in the web.config file. ASP.NET 2.0, Third Edition

  43. Summary (continued) • Authorization within an ASP.NET application is conducted via the web.config file, WSAT, or via the Windows NTFS permissions. • You can configure web applications to support various types of authentication. Anonymous authentication means that the user does not have to log in with a special account. The Internet Guest Account represents the client. Basic authentication sends the login data as clear text. Windows authentication allows the user to log in without sending his or her login over the Internet. Forms authentication is a new technique in ASP.NET to protect the web application. ASP.NET 2.0, Third Edition

More Related