Professional Documents
Culture Documents
Securing A Microsoft
Securing A Microsoft
• Windows-Based Authentication
• Forms-Based Authentication
Lesson: Web Application Security Overview
• Authentication vs. Authorization
• Authorization
Given the authentication credentials supplied, determines the
right to access a resource
Can be assigned by user name or by role
What Are ASP.NET Authentication Methods?
• Windows-based authentication
Relies on the Windows operating system and IIS
User requests a secure Web page and the request goes
through IIS
After credentials are verified by IIS, the secure Web page is
returned
• Forms-based authentication
Unauthenticated requests are redirected to an HTML form
User provides credentials and submits the HTML form
After credentials are verified, an authentication cookie is
issued
Comparing the ASP.NET Authentication Methods
Uses existing
Not
Windows
Windows- appropriate
infrastructure
based for most
Controls access to
Authentication Internet
sensitive
applications
information
11 22 ASP.NET Forms
IIS Authentication
Username
Authenticated
66 Someone 44 Authorized
Access Denied
Password Logon Page
*********** (Users enter
their credentials)
Not Submit
Submit
Authenticated 33
Authenticated
Authentication Authorized
Cookie 77 Requested
55 Secure Page
Multimedia: Forms-Based Authentication
Enabling Forms-Based Authentication
• Reference System.Web.Security
Logon Page
Login.aspx
Benefits
Coho Home Page Page Header ASPState
Winery Default.aspx Header.ascx
Menu
Registration Component
Register.aspx Class1.vb or Class1.cs Web.
tempdb
config
XML
Doctors Dentists
Files
Lab Review
Module Review and Takeaways
Review Questions
• What are the authentication methods provided with
ASP.NET?
• What is the difference between authentication and
authorization?
• What is the most important thing to remember when using
Basic authentication?
• How does ASP.NET know to which page you have to be
redirected when using the RedirectFromLoginPage
method?
Review for Alpha
• Is there any topic or specific content item in the module
that seemed unclear or unnecessary?
• Is there any content item/related subject area that was
not covered and could be included?
• Did you observe any issues with the technical accuracy of
the content?
• Is the content in the module presented in a manner that
encourages learning? Did the flow of topics seem right?
• Does the lab outline indicate the expected scope of tasks
to be covered? Would you like to suggest any tasks that
could be removed or added?