ASP.NET provides an infrastructure for authentication and authorization that will meet most of your needs for securing an application. Three authentication schemes are available: Forms, Windows, and Passport.
With Forms authentication
you
use a classic custom login page
to gather credentials from users and to authenticate the information
supplied against a database or other data store of authorized users.
You can also leverage the FormsAuthentication
APIs
built into ASP.NET to issue a cookie back to the client. Recipes in
this chapter show you how to use Forms authentication to restrict
access to some or all pages of an application. We also show you how
to restrict access to pages depending on the role assigned to the
user.
Implementing Windows authentication involves using a standard Windows dialog box to gather user credentials and validating the user against existing Windows accounts. If your application runs on an intranet, you will find that the last recipe in the chapter helps you implement Windows authentication in record time.
Passport authentication uses Microsoft’s Passport service to perform the required authentication. We haven’t provided any examples in this chapter, not because Passport authentication is especially difficult but because we doubt many readers are actually implementing it. Irrespective of our personal views, we have yet to see much interest in Passport authentication on a commercial level.
If none of the built-in authentication schemes provided by ASP.NET
meets the needs of your application, the .NET Framework provides the
ability to create your own authentication scheme. This typically
involves writing a custom class that implements the
IAuthenticationModule
interface and registering it to
bypass the built-in .NET authentication. Custom authentication is not
covered in this book, because of its individual nature. You can find
more details in the MSDN Library by searching for the term
“custom authentication”.
This chapter provides several recipes for securing your applications using the built-in mechanisms provided by ASP.NET. These are usually adequate to meet the needs of your application.
One of the most important recommendations we can make is that you always have the security features of your application reviewed by key project stakeholders and security specialists. Bringing other perspectives to issues of security is always a good idea, because it is difficult to conceive of all the ways security may be breached in your environment. Having others inspect your plans saves you having to shoulder the entire security burden alone, which is never a wise or comfortable position to be in.