Today, online attacks and scams "prevale", authentication technology has become the most sensitive topic, regardless of the main issues of concern for application designers or developers. You need to protect the application of the store sensitive information, it is necessary to prevent malicious attacks and prevent competitors from stealing information or intellectual property. When designing a security model for your application, you need to understand security requirements from your business perspective, as well as the meaning of the selected security model in performance, scalability, and deployment.
1. Several authentication technology solutions
1.1 Table Single Verification
Table Single authentication refers to a custom user interface component that accepts user credentials, for example, a username and password. Many Internet applications now have this form for users to log in. It is worth noting that the form itself does not perform authentication, it is just a method of obtaining user credentials. Authentication is implemented by accessing the username and password database by using a custom code. After verifying the user, the server generally indicates that it has been verified to the client through some way, and you can perform subsequent requests. You can force users to verify each request if needed, but affect performance and scalability. You should consider two basic methods to identify the previously logged in the client: cookie. Cookie is a small data initially sent by the server to the client. Subsequently, the client sends it back to the server with each HTTP request. It can be used as a logo that the client has passed authentication. ASP .NET provides you with a Cookie for formal authentication with cookies through the CookieAuthenticationProvider module. Most web browsers (including Internet Explorer and Netscape Navigator) support cookies.
This authentication technology is relatively easy to implement, but the user's name and password needed by the user credentials are transmitted through forms, which means that its security is quite low because hackers are easy to intercept the username and password on the network. Plan. Another disadvantage of this program is that the username and password are stored in the database. Once the attacker has mastered the login password of the database, then all user information will be undoubted, even if the user password string is encrypted, even if the user password string is encrypted in your system. of.
1.2 Windows authentication.
This provider utilizes IIS authentication. When IIS completes authentication, the ASP .NET uses the verified identified tag to authorize access. With this method, you don't have to write any specific authentication code. When using this method to verify, ASP .NET constructs and attaches a Windows Principal object based on the verified user in the application environment. In this way, the ASP .NET thread can be operated as a verified user and obtain the user's group member identity.
As shown in the figure below, the browser issues a request to the web server. The web server is handed over to Windows. At this time IIS provides the browser provides the login dialog, and the Windows has completed authentication, the ASP .NET program gets the user account, and then according to the system The permissions database allocates user permissions and returns the results to the browser to complete the user's login. 1. Comparison of several schemes 2.1 Easy to implement formal verification: Easy to implement is the advantage of this method, users only need to write some programs, acquire username and password data from the form, compare the records in the database, if consistent, passed Verify, then the server is written to the client to the verification ID: cookie, which means that authentication is no longer required. Windows Authentication: For verification, this method does not require any code, just in the ASP.NET program, obtain the login identity, then restrict access according to the permissions specified in the database.
2.2 Security For form validation, the security is mainly thinner: First, the verification method requires a username password database, which means that once the database is lost, the user information will be exposed. Secondly, the username and password during the form verification are transmitted in a clear manner on the network, and the attacker can easily intercept sensitive information. This problem does not appear using Windows Integration Authentication, because the user account is a Windows account, and the username and password are transmitted in encrypted. 2.3 Other aspects of your browser support: Form verification supports non-IE browser, and Windows authentication does not support other browsers except for IE browsers. Requirements to user accounts: Windows authentication requires users to have a Windows account, and form verification has no such requirements. In addition, Windows verification can be seamlessly logged in, ie, no pop-up dialog box. This is quite convenient for users with a personal computer. 2. The selection of the program considers the advantages and disadvantages of the above two programs, combined with the characteristics of the company's system development, that is, the user's authentication requirements are stricter, less user groups; we use a Windows authentication method.
3. Implementation of Windows Authentication 4.1 Environment Settings If your ASP .NET application needs to be run as a user who has been verified by IIS using integrated Windows authentication, use the following web.config configuration: // Web.config File
Create a web application that adds users 1. Start Visual Studio .NET, then create a new Visual C # ASP.NET web application called MyWebApplication. 2. Use the Solution Explorer to rename the WebForm1.aspx as AddUser.aspx. 3. Add to AddUser.aspx to the controls listed in Table 1, create a simple add user form.
Table 1: AddUser.aspx Control Control Type Text ID Label Username: - Label User Permission Text Box - TxtUserID Text Box - TxtUserGroup Button Add btnadd Tag - LBLMessage Using ADO.NET to store permission information in the database Private Void StoreUserPopedom (int iuserid, string strUserName, int IUserGroup) {string connString = "server = localhost; database = UserPopedom; UID = sa; pwd = 123"; string comString = "Insert Users (UserID, UserName, UserGroup) Values (" IUserID "," strUserName "," IUserGroup ")"; SqlConnection myconn = new SqlConnection (connString); SqlCommand mycom = myconn.CreateCommand (); mycom.CommandText = comString; try {myconn.Open (); mycom.ExecuteNonQuery;} catch (Exception e) {
This.lblMessage.Text = "Anomaly:" E.Message;} Finally {MyConn.close ();}}
Development Add User Program 1. Open the Solution Explorer, right-click "Reference" | Add a reference, find the system.directoryservices.dll Click the Select button, then OK. As shown in Figure 31. Open addUser.aspx.cs and add the following USING statement to the existing USING statement in the top of the file: use system.data.sqlclient; use system.directoryservices; 2. In the AddUser.aspx.cs window Body, double-click the Add button in the form to create a button Click the event handler, add the following code. Bool flag = false; string struserid = this.txtuserid.text; int iusergroup = convert.Toint32 (this.txtusergroup.text); DirectoryEntry Entrypc = New DirectoryEntry
Foreach (System.directoryServices.directoryEntry CHild in entrypc.children) {ix ((Child.SchemaclassName == "User") && (child.name == struserid) {flag = true; Break;}}
IF (flag == true) {storeuserpopedom (struserid, struserid, iusergroup); this.lblMessage.Text = "Success!";} else {this.lblMessage.text = "fail!";} 3. You can also put Windows users Import your database in one time. Simply replace the above code:
DirectoryEntry entryPC = new DirectoryEntry ( "WinNT:. //"); foreach (System.DirectoryServices.DirectoryEntry child in entryPC.Children) {if ((child.SchemaClassName == "User")) {// temporary user names and groups Blanking. StoreUserPopedom (Child.Name, "," ");}}
The authentication program does not need us to deal with the use of Windows integration authentication, and we have to do only the user account of the current login success, and then determine the user's display according to the corresponding permissions in the user rights database. 1. Open AddUser.aspx.cs adding the following code: private int GetUserPopedom (string StrUserID) {int IUserGroup; string connString = "server = localhost; database = UserPopedom; UID = sa; pwd = 123"; string comString = "Select UserGroup From Users Where UserID = ' " strUserID "' "; SqlConnection myconn = new SqlConnection (connString); SqlCommand mycom = myconn.CreateCommand (); mycom.CommandText = comString; try {myconn.Open (); IUserGroup = Convert.ToInt32 (Mycom.executeScalar ());} catch (Exception E) {this.lblMessage.text = "Exception:" E.MESSAGE; RETURN-1;} finally {MyConn.close ();} Return iusergroup;} 2 Open AddUser.aspx.cs, add the following code in the page load handler: string struserid = this.page.user.Identity.Name; int iusergruop = getUserpopedom (Struserid) ;. . . The permission group to which the user belongs (here the permission group is you customized), you can display the contents of the page as required. Provide users to modify password interface table 2: ChangePassword.aspx control control control type text ID label old password - tag new password text box - TXTNOLDPSD button Modify btnok tag - LBLMESSAGE Figure 4 Modify password interface 1. In the ChangePassword.aspx interface , Double-click the "Modify" button in the form to create a button Click the event handler. 2. Add the following code to this method.
