9.0 Introduction

ASP.NET provides an infrastructure for authentication and authorization that will meet most of your needs for securing an application. Three authentication schemes are available: Forms, Windows, and Passport.

Forms

With Forms authentication, you use a classic custom login page to gather credentials from users and to authenticate the information supplied against a database or other data store of authorized users. You can leverage the FormsAuthentication APIs built into ASP.NET to issue a cookie back to the client. Recipes in this chapter show you how to use Forms authentication to restrict access to some or all pages of an application. We will show you how to restrict access to pages depending on the role assigned to the user.

Windows

Implementing Window authentication involves using a standard Windows dialog box to gather user credentials and validating the user against existing Windows accounts. If your application runs on an intranet, you will find that the fourth recipe in the chapter helps you implement Windows authentication in record time.

Passport

Passport authentication uses Microsoft's Passport service to perform the required authentication. We haven't provided any examples in this chapter, not because Passport authentication is especially difficult but because we doubt many readers are implementing it. Irrespective of our personal views, we have yet to see much interest in Passport authentication on a commercial level.

If none of the built-in authentication schemes provided by ASP.NET meets the needs of your application, the .NET Framework provides the ability to create your own authentication scheme. This typically involves writing a custom class that implements the IAuthenticationModule interface and registering it to bypass the built-in .NET authentication. Custom authentication is not covered in this book because of its individual nature. You can find more details in the MSDN Library by searching for the term "custom authentication."

This chapter provides several recipes for securing your applications using the built-in mechanisms provided by ASP.NET. These are usually adequate to meet the needs of your application.

One of the most important recommendations we can make is that you always have the security features of your application reviewed by key project stakeholders and security specialists. Bringing other perspectives to issues of security is always a good idea because it is difficult to conceive of all the ways security may be breached in your environment. Having others inspect your plans saves you having to shoulder the entire security burden alone, which is an unwise and uncomfortable position to be in.

With regard to the enhancements to the security-related features in ASP.NET 2.0, you will notice that we have made strategic use of the login controls (especially the asp:Login and asp:LoginName), which simplify the process of writing security-related code as it relates to having users log in, log out, provide their name, etc. We will show you how to secure your website using ASP.NET 2.0's Membership and Role providers, which is the subject of the final recipe in the chapter. As part of this recipe, we will show you how to use the configuration tool ASP.NET 2.0 offers for managing users and their roles. Taken together, these security-related features make it easy to add strong authentication mechanisms to your website with little or no code.