Implementing ASP.NET Authentication


Authentication is one of the primary features in the Web application's security. There are three ways to implement authentication in an ASP.NET Web application with the help of ASP.NET authentication providers: [5] Forms authentication, Passport authentication, and Windows authentication. To facilitate an authentication provider for an ASP.NET application, you have to configure the <mode> attribute of the <authentication> element in the application configuration file as follows :

[5] Authentication providers are nothing but the code modules that contain the essential code to authenticate the requester's credentials.

 // Web.config file: <authentication mode = "[Windows/Forms/Passport/None]"> </authentication> 

The mode attribute can be set to one of these authentication methods : Windows, Forms, Passport, or None . The default value is Windows.

  • Forms authentication: In this mechanism the unauthenticated requests are redirected to a logon Web form, where the user has to provide credentials and submit the form. If the application authenticates the request against a user list or database that the application maintains, then ASP.NET issues a cookie that contains a token or a key to the client. Then, in each subsequent request a cookie is passed in the request headers, which avoid further successive authentications. This method is suitable for commercial Web applications.

  • Passport authentication: Centralized single sign-on authentication using Microsoft's Passport service. In this mechanism, the unauthenticated requests (i.e., for new users) are redirected to a site hosted by Microsoft so that the users can register a single username and password that will authenticate their access to multiple Web sites. This method is suitable for multiple commercial Web applications.

  • Windows authentication: In this mechanism ASP.NET works in concurrence with the IIS authentication scheme. As a first step, the IIS implements authentication by employing any one of these ways: Basic, Digest, Integrated Windows Authentication (formerly known as Windows NT Challenge/Response (NT/CR) or NT LAN Manager (NTLM), or Certificates. When IIS authentication is completed, then in the second step ASP.NET utilizes the authenticated identity to authorize access. This method is best suited in the Intranet and private corporate Web application.

  • None: Specifies no authentication. Only anonymous users are anticipated. Here ASP.NET does not do any authentication checking, and the authentication services are inactive. You have to be aware that IIS authentication services can still be present. You can employ this when you are not authenticating users at all or are creating your own custom authentication scheme.



.NET Security and Cryptography
.NET Security and Cryptography
ISBN: 013100851X
EAN: 2147483647
Year: 2003
Pages: 126

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net