The <authentication> element configures the authentication mode that your applications use.
The appropriate authentication mode depends on how your application or Web service has been designed. The default Machine.config setting applies a secure Windows authentication default as shown below.
<!-- authentication Attributes: mode="[WindowsFormsPassportNone]" --> <authentication mode="Windows" />
To use Forms authentication, set mode="Forms" on the <authentication> element. Next, configure Forms authentication using the child <forms> element. The following fragment shows a secure <forms> authentication element configuration:
<authentication mode="Forms"> <forms loginUrl="Restricted\login.aspx" Login page in an SSL protected folder protection="All" Privacy and integrity requireSSL="true" Prevents cookie being sent over http timeout="10" Limited session lifetime name="AppNameCookie" Unique per-application name path="/FormsAuth" and path slidingExpiration="true" > Sliding session lifetime </forms> </authentication>
Use the following recommendations to improve Forms authentication security:
Partition your Web site .
Set protection="All" .
Use small cookie time-out values .
Consider using a fixed expiration period .
Use SSL with Forms authentication .
If you do not use SSL, set slidingExpiration = "false" .
Do not use the <credentials> element on production servers .
Configure the <machineKey> element .
Use unique cookie names and paths .
Separate the public and restricted access areas of your Web site. Place your application's logon page and other pages and resources that should only be accessed by authentication users in a separate folder from the public access areas. Protect the restricted subfolders by configuring them in IIS to require SSL access, and then use <authorization> elements to restrict access and force a login. For example, the following Web.config configuration allows anyone to access the current directory (this provides public access), but prevents unauthenticated users from accessing the restricted sub folder. Any attempt to do so forces a Forms login.
<system.web> <!-- The virtual directory root folder contains general pages. Unauthenticated users can view them and they do not need to be secured with SSL. --> <authorization> <allow users="*" /> </authorization> </system.web> <!-- The restricted folder is for authenticated and SSL access only. --> <location path="Restricted" > <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>
For additional programmatic considerations, such as how to navigate between restricted and non-restricted pages, see "Forms Authentication" in Chapter 10, "Building ASP.NET Web Pages and Controls."
This setting ensures that the Forms authentication cookie is encrypted to provide privacy and integrity. The keys and algorithms used for cookie encryption are specified on the <machineKey> element.
Encryption and integrity checks prevent cookie tampering, although they do not mitigate the risk of cookie replay attacks if an attacker manages to capture the cookie. Also use SSL to prevent an attacker from capturing the cookie by using network monitoring software. Despite SSL, cookies can still be stolen with cross-site scripting (XSS) attacks. The application must take adequate precautions with an appropriate input validation strategy to mitigate this risk.
Use small time-out values to limit the session lifetime and to reduce the window of opportunity for cookie replay attacks.
Consider setting slidingExpiration="false" on the <forms> element to fix the cookie expiration, rather than resetting the expiration period after each Web request. This is important if you are not using SSL to protect the cookie.
Note | This feature is available with .NET Framework version 1.1. |
Use SSL to protect credentials and the authentication cookie. SSL prevents an attacker from capturing credentials or the Forms authentication cookie that is used to identify you to the application. A stolen authentication cookie is a stolen logon.
Set requireSSL="true" . This sets the Secure attribute in the cookie, which ensures that the cookie is not transmitted from a browser to the server over an HTTP link. HTTPS (SSL) is required.
Note | This is a .NET Framework version 1.1 setting. It takes explicit programming to set the cookie Secure attribute in applications built on version 1.0. For more information and sample code, see Chapter 10, "Building Secure ASP.NET Web Pages and Controls." |
With slidingExpiration set to false, you fix the cookie time-out period as a number of minutes from initial cookie creation. Otherwise, the time-out is renewed on each request to the Web server. If the cookie is captured, it gives an attacker as much time as he needs to access your application as an authenticated user .
Note | This feature is available in .NET Framework version 1.1. |
The ability to store user credentials in XML configuration files is provided to support rapid development and limited testing. Do not use actual end-user credentials. End-user credentials should not be stored in configuration files on production servers. Production applications should implement custom user credential stores, for example, in a SQL Server database.
The <machineKey> element defines the encryption algorithms that are used to encrypt the Forms authentication cookie. This element also maintains encryption keys. For more information, see the "MachineKey" section in this chapter.
Use unique name and path attribute values. By ensuring unique names, you prevent problems that can occur when you host multiple applications on the same server.