By: Chris Sully Date: January 30, 2003 Download the Code.
Printer Friendly Version
Abstract: this article develops a reasonably secure login facility utilizing the inbuilt features of ASP.Net (forms based authentication) Also presented is an introduction to related security features and issues, in particular mentioning how security could be further improved by consideration of technologies external. to .Net. IntroductionThis article considers and develops a reasonably secure login facility for use within an Internet application utilizing the inbuilt features of ASP.Net. This login facility is intended to protect an administrative section of an Internet site where there are only a limited number of users who will have access to that section of the site. The rest of the site will be accessible to unauthorized users. This problem specification will guide our decision-making. Also presented are suggestions as to how this security could be improved if you cross The Boundary Of ASP.NET Functionality Into Supporting Technologies. Firstly, However I '
ll provide an overview of web application security and the features available in ASP.Net, focusing particularly on forms based authentication, as this is the approach we shall eventually use as the basis for our login facility. Pre-requisites for this article include some prior knowledge of ASP.Net (web.config, security, etc.) and related technologies (eg IIS) as well as a basic understanding of general web and security related concepts, eg HTTP, cookies Web application security:. authentication and authorizationDifferent web sites require different levels of security. Some portions of a web site commonly require password-protected areas and there are many ways to implement such security, the choice largely dependent on the problem domain and the specific application requirements. Security for web applications is comprised of two Processes: Authentication and Authorization. The process of identifying your user and authenticating That the same is authenticati on. Authorization is the process of determining whether the authenticated user has access to the resource they are attempting to access. The authentication process requires validation against an appropriate data store, commonly called an authority, for example an instance of Active Directory. ASP.Net provides authorization services using both the URL and the file of the requested resource. Both checks must be successful for the user to be allowed to proceed to access said resource. authentication via ASP.NetASP.Net arrives complete with the following authentication providers that provide interfaces TO Other Levels of Security Existing With and / or External To The Web Server Computer System:
integrated windows authentication using NTLM or Kerberos forms based authentication passport authentication As with other configuration requirements web.config is utilized to define security settings such as:. the authentication method to use the users who are permitted to use the application how sensitive data should be encrypted Looking at Each Authentication Method in Turn With A View To Their Use in Our Login facility:
Integrated WindowsThis is a secure method but it is only supported by Internet Explorer and therefore most suited to intranet situations where browser type can be controlled. In fact it is the method of choice for Intranet applications. Typically it involves authentication against a Windows domain authority such as Active Directory or the Security Accounts Manager (SAM) using Windows NT Challenge / Response (NLTM). Integrated Windows authentication uses the domain, username and computer name of the client user to generate a 'challenge'. The client must enter the correct password which will causes the correct response to be generated and returned to the server in order for integrated Windows authentication to be used successfully in ASP.Net the application needs to be properly configured to so via do IIS -. you will commonly want to remove anonymous access SO Users Are Not Automatically Authenticated Via the Machines Iusr Account. You Should Also Configure The Directory Where The Protect ed resource is located as an application, though this may already be the case if this is the root directory of your web application. Consideration of suitabilityAs integrated Windows authentication is specific to Internet Explorer it is not a suitable authentication method for use with our login facility that we have specified we wish to use for Internet applications. In such a scenario a variety of browser types and versions may provide the client for our application and we would not wish to exclude a significant percentage of our possible user population from visiting our site. Forms based authenticationthis is cookie-based Authentication by Another Name and with a nice wrapper of functionality around it.
Such authentication is commonly deemed sufficient for large, public Internet sites. Forms authentication works by redirecting unauthenticated requests to a login page (typically username and a password are collected) via which the credentials of the user are collected and validated. If validated a cookie is issued which contains information subsequently used by ASP.Net to identify the user The longevity of the cookie may be controlled:.. for example you may specify that the cookie is valid only for the duration of the current user session Forms authentication is flexible in the authorities against which it can validate.. For example, it can validate credentials against a Windows based authority, as per integrated Windows, or other data sources such as a database or a simple text file. A further advantage over integrated Windows is that you have Control over the login screen use to automate uses. Forms Authentication is enabled in the applications web.config file, for example:
Using this method means there is very little coding for the developer to undertake due to the support provided by the .NET Framework, as we shall see a little later when we revisit this method. Note also the passwordFormat attribute is required, and can be one of the following values: ClearPasswords are stored in clear text The user password is compared directly to this value without further transformation MD5Passwords are stored using a Message Digest 5 (MD5) hash digest When credentials are validated, the user password is hashed using... the MD5 algorithm and compared for equality with this value. The clear-text password is never stored or compared when using this value. This algorithm produces better performance than SHA1. SHA1Passwords are stored using the SHA1 hash digest. When credentials are validated, the user Password Is Hashed Using The Sha1 Algorithm and Compared for Equality with this value. The clear-text password is never store. Use this value. Use this Algorithm for Best Security. What is hashing?
Hash algorithms map binary values of an arbitrary length to small binary values of a fixed length, known as hash values. A hash value is a unique and extremely compact numerical representation of a piece of data. The hash size for the SHA1 algorithm is 160 bits . SHA1 is more secure than the alternate MD5 algorithm, at the expense of performance. At this time there is no ASP.Net tool for creating hashed passwords for insertion into configuration files. However, there are classes and methods that make it easy for you to create them programmatically, in particular the FormsAuthentication class. It's HashPasswordForStoringInConfigFile method can do the hashing. At a lower level, you can use the System.Security.Cryptography classes, as well. We '
ll be looking at the former method later in this article. The flexibility of the authentication provider for Forms Authentication continues as we can select SQLServer as our data source though the developer needs then to write bespoke code for validating user credentials against the database. Typically you will then have a registration page to allow users to register their login details which will then be stored in SQLServer for use when the user then returns to a protected resource and is redirected to the login page by the forms authentication, assuming the corresponding cookie is not . still in existence This raises a further feature - we would want to give all users access to the registration page so that they may register but other resources should be protected Additionally, there may be a third level of security, for example an admin page. To List All Users Registered with the system. in Such a Situation We Can Have Multiple System.Web Sections IN Our Web.config File To Support TH e Different Levels of Authorization, As Follows:
t detected within the request. On the login page you would provide a link to register.aspx for users who require the facility. Alternatively you can have multiple web.config files, with that for a sub-directory overriding that for the application a whole , an approach that we shall implement later for completeness. Finally, you may also perform forms authentication in ASP.Net against a Web Service, which we will not consider any further as this could form an article in itself, and against Microsoft Passport. Passport uses standard web technologies such as SSL, cookies and Javascript and uses strong symmetric key encryption using Triple DES (3DES) to deliver a single sign in service where a user can register once and then has access to any passport enabled site. Consideration of suitabilityForms Based Authentication Is A Flexible Mechanism Supporting a Variety of Techniques of Various Levels of Security. Some of the Available Techniques May Be Secure Enough for Implementation IF Extended AP Propriately. Some of the techniques are more suited to our problem Domain Than Others, As We'll Discuss Shortly. in Terms of Specific Authorities:
Passport is most appropriately utilized where your site will be used in conjunction with other Passport enabled sites and where you do not wish to maintain your own user credentials data source. This is not the case in our chosen problem domain where Passport would both be overkill and inappropriate. SQLServer would be the correct solution for the most common web site scenario where you have many users visiting a site where the majority of content is protected. Then an automated registration facility is the obvious solution with a configuration as per the web.config file just introduced. In our chosen problem domain we have stated that we potentially have only a handful of users accounts accessing a small portion of the application functionality and hence SQLServer is not necessarily the best solution, though is perfectly viable. Use of the credentials section of THE FORMS Element of Web.config OR A Simple Text / XML File Would Seem Most Suitable for this Problem Domain. The Extra Secur ity and simplicity of implementation offered by the former makes this the method of choice Authorization via ASP.NetAs discussed earlier this is the second stage of gaining access to a site:.. determining whether an authenticated user should be permitted access to a requested resource File authorization utilizes windows security services access control lists (ACLs) -. using the authorized identity to do so Further, ASP.Net allows further refinement based on the URL requested, as you may have recognized in the examples already introduced, as well as the HTTP Request Method Attempted Via the Valid Values of Which Are: Get, Post, Head or Debug. I can't Think of Many Occasions in which you
D Want to Use this feature but you may have other idea! You May Also Refer to Windows Roles As Well As Named Users. A FEW EXAMPLES To Clarify:
How secure is the cookie based access Note above that encryption and validation are used by default How secure are these in reality Validation works exactly the same for authentication cookies as it does for view state:?.? The
t be read or altered, but they can be stolen and used illicitly. Time-outs are the only protection a cookie offers against replay attacks, and they apply to session cookies only. The most reliable way to prevent someone from spoofing your site with a stolen authentication cookie is to use an encrypted communications link (HTTPS). Talking of which, this is one situation when you might want to turn off both encryption and validation. There is little point encrypting the communication again if you are already using HTTPS. Whilst on the subject of cookies, remember also that cookie support can be turned off via the client browser. This should also be borne in mind when designing your application. How secure is the logging on procedure to a web form? Does it use clear text username And Password Transmission That Could Be Susceptible To Observation, Capture and Subsequent Misuse? Yes Is The Answer. Thus you want a secure solution but don '
t want the overhead of encrypting communications to all parts of your site, consider at least submitting user names and passwords over HTTPS, this assuming your web hosting service provides this. To reiterate, the forms security model allows us to configure keys to use for encryption and decryption of forms authentication cookie data Here we have a problem -. this only encrypts the cookie data -. the initial login screen data, ie email / password is not encrypted We are using standard HTTP transmitting data in clear text which is susceptible to interception .. The only way around this is to go to HTTPS and a secure communication channel Which perhaps begs the question - what is the point of encrypting the cookie data if our access is susceptible anyway if we are using an unsecured communication channel Well, if? WE ENABLE COGINIE Authentication WHEN WHEN THE SERVER WILL BE More Secure. After That Initial Login A Malicious Attacker Could Not e asily gain our login details and gain access to the site simply by examining the contents of the packets of information passed to and from the web server. However, note the earlier comments on cookie theft. It is important to understand these concepts and the impact our Decisions Have ON The Overall Security Of Our Application Data. It is Perhaps Unsurprising Given The Above That for the Most Secure Applications:
A secure HTTPS channel is used whenever dealing with username / password / related data Cookies are not exclusively relied upon:.. Often though recall of certain information is cookie based important transactions still require authorization via an encrypted password or number It is up to the application architect / programmer to decide whether this level of security is appropriate to their system. Finally, before we actually come up with some code remember that forms based security secures only ASP.Net resources. It does not protect HTML files, for example. Just because you have secured a directory using web.config / ASP.Net does not mean you have secured all files in that directory. to do this you could look at features available via IIS. The 'Application'Finally to the code and making our ASP.NET Application As Secure As Possible Using The Facilities ASP.NET Provides. Taking The Above Described Scenario WHERE WE HAVE A Secure Sub-Directory The Files WIHICH WISH To Protect. Howev er, we anticipate there will only be a handful of users who will need access to the directory and hence this is a suitable problem domain to be addressed with a web.config based authority solution as earlier decided. Starting with our web.config file. WE CAN Secure The Location Element, AS Described Above, But Just To Demonstrate The Alternative Double Web.config Based Approach, Here Is The Web.config At The Root Level:
If FormsAuthentication.Authenticate (Username.Value, UserPass.Value) Then FormsAuthentication.RedirectFromLoginPage (UserName.Value, false) Else Msg.text = "credentials not valid" End If Could it be any simpler? The FormsAuthentication object knows what authority it needs to validate against as this has been specified in the web.config file. If the user details match, the code proceeds to redirect back to the secured resource and also sets the cookie for the user session based on the user name entered. The parameter ' false 'indicates that the cookie should not be permanently stored on the client machine. Its lifetime will be the duration of the user session by default. This can be altered if so desired. Back to web.config to improve the security. The details are being stored unencrypted - we can encrypt them with the aforementioned HashPasswordForStoringInConfigFile of the FormsAuthentication class, achieved simply as follows: Private Function encode (ByVal cleartext As String) As strin g encode = FormsAuthentication.HashPasswordForStoringInConfigFile (cleartext, "SHA1") Return encodeEnd Function This is the key function of the encode.aspx file provided with the code download, which accepts a text string (the original password - 'password' in this case) And Outputs a sha1 encode. thus, we new improved configuration section oor root web.config file becomes:
Root / web.config root web.config fileRoot / webform1.aspx test pageRoot / login_credentials.aspx login page Root / encode.aspx form to SHA1 encode a password for
You are deploying an application on a corporate intranet and can take advantage of the more secure Integrated Windows authentication You are unable to perform programmatic access to verify the user name and password Further security considerations for forms based authentication..:
If users are submitting passwords via the logon page, you can (should?) Secure the channel using SSL to prevent passwords from being easily obtained by hackers. If you are using cookies to maintain the identity of the user between requests, you should be aware of the potential security risk of a hacker "stealing" the user's cookie using a network-monitoring program. To ensure the site is completely secure when using cookies you must use SSL for all communications with the site. This will be an impractical restriction for most sites due to the significant performance overhead. A compromise available within ASP.Net is to have the server regenerate cookies at timed intervals. This policy of cookie expiration is designed to prevent another user from accessing the site with a stolen cookie. Finally, different authorities Are Appropriate for Form-Based Authentication for Different Problem Domains. for Our Considered Scenario WHERE THE NUBER OF USERS WAS LIMITED AS WERE ONLY Protecting A specific administrative resource credentials / XML file based authorities are adequate For a scenario where all site information is 'protected' a database authority is most likely to be the optimal solution ReferencesASP.Net:.. Tips, Tutorial and CodeScott Mitchell et al.Sams. Net SDK documentation Various online articles, in particular: ASP.Net Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.Net and IIS - MSDN Magazine, April 2002http: //msdn.microsoft.com/msdnmag/issues / 02/04/ASPSec/Default.aspxan Excellent and detailed introduction to Iis and asp.net security issues. Http://msdn.microsoft.com/library/default.asp?url=