Published on: 16 July, 2013

ASP.Net Security

Posted by andy | 1424 views 0 likes 0 favourites 0 comments
Tumblr Digg Google Plus

Why do you need security on your website? Well, sometimes you want to prevent access from unauthorized users to specific pages or path of your website. With the built in security in ASP.Net, you can achive this. In ASP.Net, there are two security models you can use to protect your website applications, those models are: Forms Authentication and Windows Authentication.

1. Forms Authentication

Forms Authentication model is ideal to use if you are using a database to check against the user credential login details. Once a user has been verified against the data found in the database, ASP.Net will create a security form cookie. This cookie can be configured in web.config, you can specify the name of this form cookie and also the session length access counted in minutes. This session length is used to automatically terminated the access if a user does not do any activity on the website and has passed the session time stated in web.config.

See below example on how to use Forms Authentication in ASP.Net. If you see carefully, we want to block the access for unauthorises users to access the path of My Account folder. The loginUrl attribute will the website application to automatically navigate the user to login.aspx if the users are not authorized to access.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
    </system.web>

Additionally, you have another option to add authorization tags in web.config to give specific users to access the site. See below example for more details.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
            
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>

The asterisk(*) symbol on above example is a wildcard that means apply to everyone. If you want to deny access for specific users, you can as well, what you have to do is add the username into the deny tag attribute. If you have more than one user, you can separate them with comma. Please note that this usernames are retrived from the database user login tables. These usernames have to be unique. Below example configuration will allows all users to access to the site except for john and angela.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
        <authorization>
            <deny users="john, angela" />
            <allow users="*"/>
        </authorization>
    </system.web>

If you want to make all users that visit your site have to login first, you can use this configuration settings. The symbol of question mark (?) will deny the access for all unauthorized users and will force them to login first to the site.

    <system.web>
        <authentication mode="Forms">
            <forms name="MyFormCookie" loginUrl="~/Login.aspx" timeout="60" path="~/MyAccount" />
        </authentication>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>

How to check if a user has already login

You can use the following code to check if a user has already login to the site.

    protected void Page_Load(object sender, EventArgs e) {
        if (User.Identity.IsAuthenticated) {
            Response.Write("Your username is " + User.Identity.Name);
        }
    }

This is how you want to logout the user from the site access.

    private void btnLogout_Click(Object sender, EventArgs e){
        FormsAuthentication.SignOut();
        Response.Redirect("~/Login.aspx");
    }

2. Windows Authentication

To use Windows Authentication mode is more simple. You basically just need to set the authentication mode to Windows like below. This type of authentication is only best to use for Intranet or Company network purposes only. The user login information will be checked against IIS users credentials. See below configuration example. Below example will force all users to login first before can access the site.

<system.web>
    <authentication mode="Windows"/>
 </system.web>
Comments

There are no comments available.

Write Comment
0 characters entered. Maximum characters allowed are 1000 characters.
Related Articles
Published on: 13 February, 2017
One thing to remember when publishing your ASP.Net web applications, you may find out, some files could be not completely published due to the settings on the file properties. One example that I had are some font types file. In order to fix this problem you can navigate to the files that are missing and right click the properties.
Published on: 11 May, 2016
The slidingExpiration attribute is used in ASP.Net form authentication. This property is used to reset the expiration time for a valid authentication cookie if a request that has already being made has passed the timeout interval. Which means, if it is already expires, the current user will require to re-authentication again.