Summary


The ASP.NET team gave Forms authentication a lot of love in version 2.0. A new provider model now gives you direct support for managing users and roles in SQL Server. And if you don't want to use SQL Server, you can rely on Active Directory or write your own providers to hook up with a user store of your own making, or use one built by a third party. You can even download the source code for the existing providers to help you get started.

Be sure to test your application using IIS under a least-privileged user account. Do this early and often, as it will help you quickly discover potential problems, such as restricted access to resources. Encrypt sensitive sections of your web.config and machine.config files, including <machineKey> and <connectionStrings> using the aspnet_regiis tool. Try to eliminate as many secrets as you canusing integrated security really helps with this.

You'll find that implementing security-related UI features such as login and self-registration pages is much easier with the new login controls in ASP.NET 2.0, and since these controls know about the provider model, you probably won't have to write much code (if any at all) to get started using them.

Keep in mind that cookieless Forms authentication is now available, and use it if necessary, but if you do, be certain to take steps to reduce the dangers of sharing URLs with login details in them. And keep an eye on the wisdom provided by the patterns & practices group at Microsoft: there's some great advice on building secure ASP.NET 2.0 applications at http://msdn.com/securityguidance. Remember, security is a feature!




Essential ASP. NET 2.0
Essential ASP.NET 2.0
ISBN: 0321237706
EAN: 2147483647
Year: 2006
Pages: 104

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net