Friday, February 10, 2012

Customising Authentication Security using configuaration Tags in web.config in asp.net

Forms Authentication mode of asp.net Provided Ticket handling and also different properties to deal with security management using authentication tab of web.config.We can provide same settings to change the default behaviour of application.Here will given some options to for

customising security in application:
1.We can change the redirect login page ans ask FAM(form authentication mode) to show different page for authentication all these settings are provided using forms tag of authentication
<authentication mode="Forms">
<forms loginurl="Login.aspx">
<credentials>
<user name="test" password="test">
</credentials>
</forms>
</authentication>

we have use the FormsAuthentication.Authenticate method to authenticate to users in codebehind
code behind:

string user=this.txtUserName.Text;
string pws=this.txtPassword.Text
if (FormsAuthentication.Authenticate(user,pwd)
{
FormsAuthentication.SetAuthCookie(user, false);
FormsAuthentication.RedirectFromLoginPage(user, false);
}
else
{
Response.Write("try again.");
}

2.When user directly visits login.aspx there will be no written URL after successful login.In that case by default Asp.net redirects the user to default.aspx of rule.If we want to customise this default URL of forms tag can be use
<authentication mode="Forms">
<forms loginurl="~/admin/adduser.aspx">
<credentials>
</forms>
</authentication>
3.name=identity/ ticket name to create authentication ticket in our program we provide a value internally.This value is stored with a name called ".aspxauth".It is highly recommended to change this default name we can change it using name attribute
.aspxauth="smith"
4.cookiesless="usecookies"
By default forms authentication module Creator Identity using cookies of HTTP.but cookies are dependent on browser .According to browser instructions cookies behave which is a big problem or effect for our authentication ticket.To over come this universal problem Asp.net has provided an alternate use URI option cookieless="useURI" with this we are independent of browser and cookies Auto direct means use cookies if supported otherwise useURI use device profile means get the cookie less setting from profile section of web.config
5.Protection=All,encryption,none,validation default is all recommended is also all This protection attribute is for authentication ticket protection all means encryption+validation which is high level of security.we can go to low levels like only encryption only validation also with none no protection at all.In a simple text ticket is created.

6.Request="true" default is false.If set to true browser should make request for every authentication related task using https instead of http(ssl enabled)
7.EnablecrossAppRedirects="true" or "false" .default is false with this option we can use authentication ticket to othersites who fallow forms ans also other site tickets in our site by setting it to true.highly not recommended because every browser doesn't support this

No comments:

Bel