Achieving website security involves the following aspects:
Identity authentication : The process of confirming the identity and authenticity of a user. Four types of authentication are provided in ASP.NET:
Windows certification
form authentication
Authentication
Custom authentication
Authorization : The process of defining and assigning specific roles to specific users.
Confidentiality : Includes encryption for client browsers and web servers.
Integrity : Maintain data integrity. For example, implement digital signatures.
Generally speaking, forms-based authentication involves editing a network configuration file and a registration page with a verification code. The network configuration file can be written by the following code:
<configuration><system.web> <authentication mode="Forms"> <forms loginUrl ="login.aspx"/> </authentication> <authorization> <deny users="?"/> </authorization></system .web>......</configuration>
The login.aspx page mentioned in the above code snippet may contain the following code, including the username and password for authentication, which is difficult to encode in the file.
protected bool authenticate(String uname, String pass){ if(uname == "Tom") { if(pass == "tom123") return true; } if(uname == "Dick") { if(pass == " dick123") return true; } if(uname == "Harry") { if(pass == "har123") return true; } return false;}public void OnLogin(Object src, EventArgs e){ if (authenticate(txtuser.Text, txtpwd.Text)) { FormsAuthentication.RedirectFromLoginPage(txtuser.Text, chkrem.Checked); } else { Response.Write("Invalid user name or password"); }}
Note that the FormsAuthentication class is used for the authentication process.
However, Visual Studio makes it easy to seamlessly implement user creation, authentication, and authorization through the website management tool without writing any code. This tool enables the creation of users and roles.
In addition, ASP.NET has a ready-made login control series that can control and perform all the work for you.
In order to set up forms-based authentication, you need to do the following:
User database to support the authentication process
A website that uses a database
user account
Role
Limitations on user activities and group activities
A user page that displays user status and other information
A login interface that allows users to log in, retrieve passwords, and change passwords.
In order to create a user, the following steps need to be taken:
Step 1: Select Website->Configure ASP.NET to open the web application management tool.
Step 2: Click on Security Options.
Step 3: Select the 'Forms based authentication' option to set the authentication type to 'From the Internet'.
Step 4: Click 'Create Users'. If you have already created a role, you can assign the role to the user at this step.
Step 5: Create a website and add the following pages:
welcome page
Login page
Registration page
Password recovery page
Change password page
Step 6: Set a login status control in the login section of the welcome page. Contains two standard boxes: LoggedIn and LoggedOut.
LoggedIn has the option to view logged-in users, and LoggedOut has the option to view logged-out users. You can change the login and logout text properties in the properties window.
Step 7: Set up a LoginView control below the LoginStatus control. You can set some other text or other controls (such as hyperlinks, buttons, etc.) that reflect whether the user has logged in.
This control has two standard boxes: the Anonymous box and the LoggedIn box. Select each view and write some text for the user to display when the criteria box is selected. The text should be placed in the area marked red in the image below.
Step 8: The developer creates application users. You may want to allow visitors to also create a user account. To achieve this, you can add a link under the LoginView control that takes you to the registration page.
Step 9: Set up a CreateUserWizard control on the registration page. Set the ContinueDestinationPageUrl property of this control to ensure that you can go to the welcome page.
Step 10: Create a login page. Set up a Login control on this page. The LoginStatus control automatically connects to the login page. You can change this default setting by making the following changes in the network configuration file.
For example, if you named your login page signup.aspx, you could add the following lines of code to the Network configuration file.
<configuration> <system.web> <authentication mode="Forms"> <forms loginUrl ="signup.aspx" defaultUrl = “Welcome.aspx†/> </authentication> </system.web></configuration>
Step 11: Users often forget their passwords. The PasswordRecovery control helps users regain login to this account. Select the login control. Open its little tab and select 'Convert to Template'.
By customizing the user interface of this control, place a hyperlink control below the login button. This control should be able to link to the password retrieval page.
Step 12: Set a PasswordRecovery control on the password recovery page. This control requires the mail server to send the password to the user.
Step 13: Set a link to the password change page in the LoggedIn box of the LoginView control on the welcome page.
Step 14: Set a ChangePassword control on the change password page. This control has two views:
Now run the application and observe the different security operations. You can go back to the web application management tool and click on the security option to create a role. Click 'Create Roles' to create some roles for this application.
Click 'Manage Users' to assign roles to users.
Secure Sockets Layer (SSL) is a protocol used to ensure secure connections. By using SSL, the browser encrypts all data sent to the server and decrypts all data from the server. At the same time, the server will also encrypt and decrypt all data in Liangzi Browser.
The URL for a secure connection uses the HTTPS protocol instead of the HTTP protocol. A small lock will also be displayed by browsers using secure connections. When a browser actively communicates with a server using SSL, the server sends a security certificate to authenticate the server itself.
To use SSL, you need to purchase a digital security certificate from a trusted certification authority (CA) and install the certificate on the network server. The following are some trustworthy certification organizations with good reputations:
www.verisign.com
www.geotrust.com
www.thawte.com
SSL is built into all major browsers and servers. To enable SSL, you need to install a digital certificate. The strength of different digital certificates varies depending on the length of the key generated during the encryption process. The longer the key, the more secure the certificate and the more secure the connection.
strength | describe |
---|---|
40 bits | Supports most browsers but is easy to hack. |
56 bits | More robust than 40-bit. |
128 bits | It's hard to crack, but not all browsers support it. |