Flylib.com

Books Software

 
 
 

Category list


Similar pages

Special Edition Using ASP.Net - page 130


Buy on amazon.com >>
Leinecker R. C.
    << Previous page
    Table of contents
    Next page >>
       

    Summary

    Application and session variables give you a powerful mechanism in maintaining the state of your application and your user sessions. And although this mechanism can be over-used in some cases (thus excessively consuming resources and possibly creating deadlock situations), it is very valuable for the developer.

    If you work through these examples in this chapter, you will see how easy it is to use session and application variables. It won't be long before you are totally comfortable with doing this in your applications.

       
       

    Chapter 18. Security

    In this chapter

    Web Security Overview

    Server Authentication

    Client Authentication

    ASP.NET Security

    ASP.NET Impersonation

    I can't tell you how many times I have sat in a meeting where management and marketing painted a rosy picture about the next application that we would be developing. The applications always had the bells and whistles, were easy to use, and would make us tons of money. But the question of security was never raised during these meetings. All marketing wants is a slick application that will attract lots of paying customers. All management wants is to get the application finished on time. And the developers get swept up in the euphoria of the moment and neglect to ask the tough questions about security.

    This chapter talks about security for ASP.NET applications. It talks about the security that is available through IIS, and several types of security that are available through ASP.NET. One of the things you will find, though, when you add security to your application, is that security can be at 180 ­ ° odds with marketing's plans of having a Web site that is slick and easy to use. You see, when you add security it makes it harder for users to get where they want to be, because not all users are going to be allowed to access certain Web pages and information. Your job is to balance the ease of use for your Web application with the need for security. You will have to know that the person who is trying to access restricted pages has the proper credentials. This chapter shows you how to add security to your ASP.NET application, and gives you a road map for how to make your decisions when it comes to which security methods you should implement.

       
       

    Web Security Overview

    It is one thing to worry about security on your company's network, but it is another thing to worry about security in a Web application. Connections can come from anyplace in the world, and the possibility of data interception exists anywhere along that connection path . It is also more difficult in a Web application to know where the user is. On your company's network, if it is a LAN, you know that they are in the building or somewhere close by.

    Authentication is one of the foremost components of a Web application's security. This authentication takes two forms: server authentication and client authentication .

    A client machine can surf to many Web sites without fear of who is managing the site and its content. But when it comes to sending sensitive information, such as Social Security numbers and credit card numbers , clients are much more concerned about verifying the identity of the Web application with which they are interacting.

    The other side of the coin appears when the client is trying to access information that is itself sensitive; medical records would be a good example. A physician somewhere might be trying to access the medical records for one of her patients . This could include X-rays, former diagnoses, and similar information. If the wrong person were to gain access to these records, the patient's confidentiality would be violated.

    Other examples of when the server must verify identity is when the client is trying to access some sort of premium content, such as real-time stock quotes, online games , or patent information. When a client tries to gain access to premium content, the Web application must verify who this person is and that he has access to the premium content. It is fair to say that there is no one single correct way to secure these items. Each Web application, and each part of a Web application, might have a different approach to Web security, depending on the need. The general rule is to require the least amount of security for the situation. This normally requires less of users in the way of logging on, and requires less of the server in regard to maintaining the security.

    Web application developers should always be aware of the level of security that is required for a situation. They should add only the security services that are necessary. Each additional security requirement makes your application more complex and can have significant impact on its design.

       

    Buy on amazon.com >>
    Leinecker R. C.
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy