Never , ever trust any data your users give you . Ever .

Membership,
Authorization, and Security
By
Amareswar Rao

Hackers, crackers, spammers, viruses, malware

1
 ASP.NET Web Forms
Security
ASP.NET MVC doesn't have as many automatic protections
as ASP.NET Web Forms

Web forms security

Event Validation helps prevent injection attack

View State is encrypted

Request Validation (<% @page validaterequest=true %> )

Server Components HTML-encode displayed values and

attributes to help prevent XSS attacks.

2
 Authorize Attribute

authentication is verifying that users are

who they say they are, using some form
of login mechanism

Authorization is verifying that they can

do what they want to do with respect to
your site. This is usually achieved using
some type of role-based system.

3
Secure Application With
ASP.NET Webforms
A common means of securing an application with Web
Forms is to use URL authorization.

For example, if you have an admin section and you want to

restrict it to users who are in the Admins role, you might
place all your admin pages in an admin folder and deny
access to everyone except those in the Admins role to that
subfolder.

<location path=Admin allowOverride=false>

<system.web> <authorization> <allow roles=Administrator
/> <deny users=? /> </authorization> </system.web> </
location>

4
 AuthorizeAttribute
If you don't specify any roles or users, the current user must
simply be authenticated

If a user attempts to access an action method with this

attribute applied and fails the authorization check, the filter
causes the server to return a 401 Unauthorized HTTP status
code.

In the case that forms authentication is enabled and a login

URL is specified in the web.config , ASP.NET will handle this
response code and redirect the user to the login page. This is
an existing behavior of ASP.NET and is not new to ASP.NET
MVC.

Install-Package Wrox.ProMvc4.Security.Authorize
5
AuthorizeAttribute with
Forms Authentication
IPrincipal user = httpContext.User; if (!
user.Identity.IsAuthenticated) { return false; }

HTTP 401 - HttpUnauthorizedResult

<authentication mode="Forms"> <forms

loginUrl="/Account/LogOn" timeout="2880"
/> </authentication>

[Authorize] public ActionResult Buy(int id)

6
Windows Authentication

<authentication mode="Windows" /> In

Web.config

IIS 7

IIS 8

IIS Express

7
 Forms Authentication
[Authorize] public ActionResult Buy(int id)

[Authorize] public class CheckoutController :

Controller

RegisterGlobalFilters(GlobalFilterCollection filters)
{ filters.Add(new
System.Web.Mvc.AuthorizeAttribute());
filters.Add(new HandleErrorAttribute()); }

[AllowAnonymous] public ActionResult Login()

8
Web Forms and static resources map to file
paths and can be secured using the
authorization element in your web.config

ASP.NET handler security is more complex;

like an MVC action, a handler can map to
multiple URLs.

Securing handlers is normally handled via

custom code in the ProcessRequest method.
For example, you may check
User.Identity.IsAuthenticated and redirect or
return an error if the authentication check fails.

9
Authorize Attribute - Role
Membership
[Authorize(Roles="Administrator")] public class
StoreManagerController : Controller

[Authorize(Roles="Administrator,SuperAdmin")] public class

TopSecretController:Controller

[Authorize(Users="Jon,Phil,Scott,Brad")] public class

TopSecretController:Controller

[Authorize(Roles="UsersNamedScott", Users="Jon,Phil,Brad")]
public class TopSecretController:Controller

Role and Membership classes found in the System.Web.Security

namespace.

10
 OAuth & OpenID
OAuth and OpenID are open standards
for authorization. These protocols allow
your users to log in to your site using
their existing accounts on other trusted
sites (called providers ), such as Google,
Twitter, Microsoft, and others.

OpenID providers: Google, Yahoo, and

myOpenID

11
App_Start\AuthConfig.cs

12
13
Require SSL for Login

14