430 likes | 441 Views
User Authentication & Authorization. User Authentication. Can be used on web sites for: Saving user preferences E.g. skins, colours Limiting access to pages or data E.g. “members only”, co-authors of a blog Protect sensitive information
E N D
User Authentication • Can be used on web sites for: • Saving user preferences • E.g. skins, colours • Limiting access to pages or data • E.g. “members only”, co-authors of a blog • Protect sensitive information • E.g. users who shop at your site may store their credit card and other account info Wendi Jollymore, ACES
Authentication Determining a user’s identity How you validate the identity with some authority or source Credentials = user’s information Occurs before you authorize a user Authorization Determining if authenticated user has access to a resource, application, etc. Occurs after authentication Authentication / Authorization A user can be authenticated but not authorized to have access to a specific resource. Wendi Jollymore, ACES
Types of Authentication • There are three types of authentication you can use in ASP.NET: • Windows • Passport • Forms Wendi Jollymore, ACES
Types of Authentication • Windows Authentication • Used with IIS • Authenticates users based on their Windows accounts • you would need to have the permissions to create and modify individual Windows user accounts. • Use this only for local applications. Wendi Jollymore, ACES
Types of Authentication • Passport Authentication • Uses the authentication service provided by Microsoft • "Microsoft Passport" • Your site might be registered with and be a member of the Microsoft Passport service. • Users would not only have access to your page; they would be members of other sites also, using the same account information. • You would be dependent on the Microsoft Passport service for user accounts. Wendi Jollymore, ACES
Types of Authentication • Forms Authentication • HTML form collects credentials from user • Write the code to authenticate the credentials • Can use a cookie to maintain the authentication information • allows user to "stay logged in" while they browse around your site. • You can decide how to maintain user information (i.e. a Users table in a database?) Wendi Jollymore, ACES
Types of Authentication • Forms Authentication would be the preferable method • Allows you the most flexibility • You can design your own form to capture the credentials • You can write your own authentication code Wendi Jollymore, ACES
How Forms Authentication Works Unauthenticated users visiting any page are redirected to Login page Cookie created and stored when user is authenticated Authenticated users can be granted or denied access to resources Unauthenticated users are default IUSR_Anonymous Wendi Jollymore, ACES
Passwords & Encryption • This is a huge topic, so this is just a simplification • Passwords should not be stored as plain text in a table • They also should not be “compared” using plain text • E.g. if (password.equals(“whatever”)) • Passwords should be stored/compared using encrypted values Wendi Jollymore, ACES
One-Way Encryption A piece of text is encrypted Encrypted value is stored somewhere Not decrypted A person enters plain text which is encrypted and both encrypted values are compared One-Way vs. Two-Way Encryption • Two-Way Encryption • A piece of text is encrypted • Encrypted value is decrypted by the person receiving or processing the sensitive data • Common when sending documents Wendi Jollymore, ACES
Passwords & Encryption • One-Way Encryption is very useful for passwords • User enters a password • Program encrypts password • Program looks up encrypted password value in a table • Both encrypted values are compared • If they match, success! • Also called hashing or irreversible encryption Wendi Jollymore, ACES
Passwords & Encryption • Disadvantage of One-Way encryption • Can’t decrypt the encrypted value • Can be hard to retrieve a lost password • Ideas: • Reset password to something temporary and email it to the user. Send them a URL that allows them to save a new password. Wendi Jollymore, ACES
Encryption Algorithms • Some popular one-way encryption algorithms: • MD5 (Message Digest algorithm 5) • 128-bit hash code; somewhat secure; somewhat efficient • SHA-1 (Secure Hash Algorithm) • 160-bit hash code; somewhat secure, somewhat efficient • SHA-2 • Refers to a collection of algorithms that are more secure than SHA-1 Wendi Jollymore, ACES
Encryption Algorithms • Continued… • SHA-2 consist of SHA256, SHA384, SHA512 • These are 256-, 384-, and 512-bit hash codes • SHA256 and SHA384 as secure as SHA-1 or MD5, but a lot slower • SHA512 is extremely secure, but extremely slow Wendi Jollymore, ACES
Encryption Algorithms • RIPEMD-160 • Stands for RACE Integrity Primitives Evaluation Message Digest • RACE stands for Research and Development in Advanced Communications Technologies in Europe • 160-bit hash code based on MD4 (precursor to MD5) Wendi Jollymore, ACES
Authentication in ASP.NET • Create a Users table in your KaluhaBooks database: • See the table description in the notes • ADO.Net/Authentication & Authorization • We’ll be using MD5 encryption • 128-bit hash code • Password field in Users table has to be binary type, 16 bytes • Create a new Web Project Wendi Jollymore, ACES
Authentication in ASP.NET • Add a Web.config file • Add a connection string element • In your web.config file, you can define how your application should handle authentication and authorization • In our example, we will redirect unauthenticated users to a Login/Registration page Wendi Jollymore, ACES
Authentication in ASP.NET • <authentication> element in web.config: • Inside the <system.web> element • One attribute: • mode=“Forms/Passport/Windows/None” • This indicates what mode of authentication your app should use • None means no authentication or some form of custom authentication Wendi Jollymore, ACES
Authentication in ASP.NET <configuration> <system.web> <authentication mode="Forms"> </authentication> </system.web> </configuration> Wendi Jollymore, ACES
Authentication in ASP.NET • <forms> element in web.config: • Inside the <authentication> element • Defines how forms authentication will work in your application • name attribute: • The name of the cookie that will be placed on the authenticated user’s machine • loginUrl attribute: • The URL of the login page • Where unauthenticated users will automatically be redirected Wendi Jollymore, ACES
Authentication in ASP.NET <authentication mode= "Forms"> <forms name=".MYFIRSTAUTH" loginUrl="login.aspx" /> </authentication> Wendi Jollymore, ACES
Authentication in ASP.NET • Other attributes you can use in the <forms> element: • timeout=“60” • The amount of time measured in minutes when the cookie will expire. The default value is 30. • path=“/” • The path where the cookie is created. • The default value is "/", which is fine to use at this point. Wendi Jollymore, ACES
Authentication in ASP.NET • Continued… • Protection=“None/Encryption/ Validation/All” • How the cookie data is protected. • Possible values include: • None: stored in plain-text format; not recommended • Encryption: Encrypts the cookie information in either the TripleDES or DES (Data Encryption Standard) encryption formats. • Validation: No encryption used, but the information within the cookie is validated to determine if the information was altered between requests. • All: Utilize both validation and encryption to protect the cookie data Wendi Jollymore, ACES
Authentication in ASP.NET • <authorization> element in web.config: • Inside <system.web> element • Defines which authenticated and unauthenticated users have access to which resources (e.g. pages) • Can contain two elements: • <deny users=“”> • <allow users=“”> Wendi Jollymore, ACES
Authentication in ASP.NET • <deny> and <allow> elements • Define authorizationrules • which users should be denied or allowed access to pages • Possible values for the users attribute: • * = all users • ? = anonymous users • IUSR_Anonymous • Any name of a specific user or role • Multiple users/roles separated by commas Wendi Jollymore, ACES
Authentication in ASP.NET <authorization> <deny users="?" /> </authorization> • This authorization rule denies access to all anonymous users. • They will automatically be redirected to our login/registration page. Wendi Jollymore, ACES
Exercise • Once you’ve updated your web.config file: • Add some stuff to the main page of your project • Anything you want – headings, images, text, whatever • This will be our “home page” for our site • Add a second web form to your project • Call it “login.aspx” • The same value in your loginUrl attribute in the <forms> element Wendi Jollymore, ACES
The Login Control • ASP.NET 2.0 has a new set of Login controls! • The Login control contains all the elements you need to allow user logins Wendi Jollymore, ACES
The Login Control - Properties • CreateUserUrl • the URL or page name (if in the same folder) of a registration page • CreateUserText • is the text that will appear as a link below the login/password fields • When clicked, it will take the user to the registration page as defined in CreateUserUrl. Wendi Jollymore, ACES
The Login Control - Properties • DestinationPageUrl • URL where user is directed after successful login • DisplayRememberMe (true/false) • Displays a check box that the user can check if they want to stay logged in beyond the normal timeout period. • If checked by user, sets a persistent cookie is so they don't have to be re-authenticated each time they come to your site. • You can change the expiry date of this cookie in your code. Wendi Jollymore, ACES
The Login Control - Properties • FailureAction, FailureText • What should happen if authentication fails. • "Refresh“ (default) • entire page will refresh, displaying the value of FailureText property. • “RedirectToLoginPage” • user will be sent back to the login page, as defined in the web.config file. Wendi Jollymore, ACES
The Login Control - Properties • InstructionText • Any instructions you'd like displayed to the user. • LoginButtonType • Type of Login button you'd like (Button, Link, Image). • LoginButtonText • If LoginButtonType is Button or Link, • defines what text appears on the button/link. • LoginButtonImageUrl • If LoginButtonType is set to Image • Contains the location of the image. Wendi Jollymore, ACES
The Login Control - Properties • Orientation • Alignment of controls • PasswordLabelText • Text that appears in label in front of password field • PasswordRequiredErrorMessage • Error message that is displayed for the required field validator associated with the password field. Wendi Jollymore, ACES
The Login Control - Properties • RememberMeSet • Default value of the Remember Me check box • RememberMeText • Text that appears in front of the Remember Me check box. • TitleText • The title that appears along the top of your login control. Wendi Jollymore, ACES
The Login Control - Properties • UserName • Default user name in User Name field • UserNameLabelText • Text that appears in label in front of user name field • UserNameRequiredErrorMessage • Error message displayed for the required field validator associated with the user name field. Wendi Jollymore, ACES
The Login Control - Events • Authenticate() • Triggered when the user presses the Login button on the Login control • You can write code to hash the password entered and compare to database value Wendi Jollymore, ACES
Exercise • Create the Login.aspx page according to the instructions/tutorial in the notes: • ADO.NET, Authentication & Authorization • “Creating a Login/Registration Page” • You’ve done Steps 1 and 2 already • Start with Step 3 Wendi Jollymore, ACES
More Useful Classes/Methods • MD5CyptoServiceProvider class • In the System.Security.Cryptography namespace • Performs one-way MD5 encryption • ComputeHash() method • Accepts an array of bytes[] as the value to encrypt • Returns an array of bytes[] as the encrypted value Wendi Jollymore, ACES
More Useful Classes/Methods • UTF8Encoding class • In the System.Text namespace • Used to encode Unicode characters • GetBytes(string) method • Takes the string and returns it as an array of bytes[] Wendi Jollymore, ACES
More Useful Classes/Methods • FormsAuthentication class • In the System.Web.Security namespace • Handles forms authentication services and utilities • RedirectFromLoginPage(username, persist) • Redirects authenticated user back to the original page they requested and creates the cookie • username = string to identify the “authentication ticket” • persist = boolean value: whether or not cookie lives across multiple sessions • Optional third string argument = alternate URL where authenticated user should be sent Wendi Jollymore, ACES
Exercise • Complete the tasks under the “Registering Users” section • When completed, make sure it works • Make sure you have a couple of good user/passwords in your table so we can code the login section Wendi Jollymore, ACES
Exercise • Complete the tasks under the “Validating Users” section • When completed, make sure it works: • Try logging in with valid and invalid logins/passwords! Wendi Jollymore, ACES