ASP.NET Authentication

Authentication: Who are you? Default: Windows
Authorization: What are you allowed to do? Default: Anonymous

  • Represented via Authorization element in web.config
  • For IIS6
    • can have a combination of allow and deny entries
    • order of these entries matter as they are evaluated based on the order they are entered. The closest entry wins.
    • anonymous users are represented by ? and * represents all users
    • with the entries, you can also define verbs such as get and post to configure if the user is authorized to do gets and posts.
  • For IIS7 and forward
    • can have combination of add and remove entries. The add entries can have accessType defined as allow or deny.
    • order doesn't matter. The rule is that deny always takes precedence over allow.
    • Since order doesn't matter, we should remember to use <clear/> to clear all entries that might exist in top level config files.
    • IIS7 authorization will take care of not just managed resources such as aspx files but also the unmanaged resources in your app such as .pdf, .jpg etc. So it is better to use IIS7 authentication/authorization model than ASP.NETs authentication/authorization model
IPrincipal and IIdentity
  • Once a user is authenticated, you can access him by HttpContext.User property or by Page.User property. Both these properties expose the IPrincipal.
  • IPrincipal contains IIdentity and a function called IsInRole to identify whether the user belongs to a role or not.
  • IIdentity contains the Name of the user, his AuthenticationType and whether he IsAuthenticated or not.
  • When not all your users can have windows accounts, windows authentication is not a good approach.
  • It is cookie-based. What that means is that once you are authenticated, further requests are done based on the cookie. All the details are managed by ASP.NET.
  • Cookies are secured by encryption using secret key.
  • Once the cookie reaches the server, an HTTPModule named FormsAuthenticationModule decrypts and validates the cookie into HttpContext.User. This module also turns the outgoing 401 request into 302 redirect to login page.
  • Once you authenticate the user by some database lookup for his username and password, you can call the FormsAuthentication.RedirectFromLoginPage method to redirect him to your default page in the application.
  • The method takes the username and a boolean value indicating whether to create a persistent cookie on the hard drive or not.
  • To log out, just call the FormsAuthentication.SignOut() method and then redirect them to the default page of your app. This will inturn, redirect them to login page and if they login correctly, it will go to the default page.
  • An attacker might extract the cookie from the web request and store it on his machine and then use it to mimic the real user. To avoid this, we should try to set the RequireSSL option to true in the forms element inside authentication element. This would mean that the whole request stream is on SSL and then the cookie can't be extracted.
  • You can also set the timeout option in the forms element inside authentication element. This will ensure that the cookie expires after a while.
  • It is better to user Roles instead of users. 
  • Roles have to be set in code by the developer. You can do so in the Global.asax file by handling the AuthenticateRequest event. It is fired when the security module has established the identity of the user.
  • With the help of identity, you can find out which roles this user belongs to and then you can create a new GenericPrincipal with identity and roles.
  • You can then assign this GenericPrincipal to the Context.User property.
  • Once you set up the roles, you can use the Location element in the configuration element in web.config to identify the resource and what all roles it can have as shown below:
<location path="AdminsAndPlayersOnly.aspx">
        <allow roles="Players"/>
        <allow roles="Admin"/>
        <deny users="*"/>
ASP.NET Membership
  • Membership and role providers provide an inbuilt implementation of general login features such as usernames, passwords and roles database, password resetting, security question features etc. Its designed for rapid action development but does not provide strong authentication.
  • Membership is all about forms authentication.
  • Membership also provides out of box controls to login, logout, password recovery, reset password etc.
  • Membership and role use default providers but they can be customized to use different providers.
  • The login code can be overridden to do something different if you don't want the default behavior.