This article is based on the ASP.NET 2.0 content in the community technology preview in March 2004. All information contained in the text may change.
This article discusses:
• Security enhanced in ASP.NET 2.0? Server-side security control? Users and role databases? Form authentication without cookie
This article uses the following technique:
ASP.NET, authentication
This page
Advancing Form Authentication Getting Started Server Security Control Defining Role Paradox Recovery Adjustment Provider Control Adjusting Members and Role Programming No Cookie Form authentication Some precautions Summary
The new security function is an important improvement in ASP.NET 2.0. These features include the role manager of the Manage User Account Database, Hash Code, Manage User Role Membership, and five new server-side controls that can be more easily implemented. ASP.NET 2.0 also provides a provider model that enables you to fully control MemberShip and Role services and implementation without cookie form authentication. You can also easily perform web-based local and remote management for user accounts and characters, and enhanced control over other non-security related settings.
Promote form authentication
Form authentication is one of the most widely used features in ASP.NET 1.0, as it encapsulates the best practices in which many specific implementations are lacking. For example, you know how many form authentication implementations can protect the cookie integrity of client credentials? Form authentication not only writes the username into the cookie, but also adds a message authentication code (a hash value based on the cookie and the secret value known to only the web server). This makes the malicious client not to improve the privilege or by modifying the names in its cookie to view the data of another user. If you pay attention to the various newsgroups and list servers introduced by the .NET web developer, you will learn that people are achieving the same thing over again: user database, cached roles, capture user names and password controls, management Tools for users and roles. The ASP.NET group has provided built-in solutions for almost all of these issues. When studying the initial test version of ASP.NET 2.0, I feel shocked, it completely reduces the number of code used to build a list of information that uses form authentication in manageable ways.
Back to top
getting Started
When I take you to complete some tests, you will see how easy it is to start using these new features. If you have an ASP.NET 2.0 internal beta (MSDN Universal subscriber can download), you can perform these experiments.
First, there is a need to have a virtual directory to the empty directory. Must ensure that the ASP.NET assist process has permission to read, execute, and write this directory. If you are running Windows 2000 or Windows XP, you need to grant these permissions to the ASPNET local account, and under Windows Server 2003, you will need to grant your permissions to the Network Service account.
I will use the form authentication, so I need to enable it through the web.config file. If I present to you now how to use ASP.NET 1.1, I will tell you to open a text editor and start typing XML. But in ASP.NET 2.0, one of my favorite features is the interactive profile editor, which is directly built from the IIS Management Console, and you can find it on the "ASP.NET" tab of the virtual directory. . Press "Edit Configuration" to press New, the editor will pop up.
Figure 1 Configuration Editor
Figure 1 shows this new editor. You will see that I chose the form authentication instead of the default option: Windows authentication. Do the same operation in your own virtual directory. When using the configuration tool, set the default language of the web application to C # because it will save some of the inputs that need to be made back. Page Language Default Settings is the first drop-down option on the Application tab. After applying these changes, you will find the web.config file in the directory and have all settings. You need to register some users to the Membership service to start, so the first page you wrote is to allow you to add the user's page. A server control is provided in this beta, you can use the following three lines of code to implement this page: