MVC 4 Web Api Security from C.S.R.F. Attacks - asp.net

I am using asp.net mvc4 web api. I am using Form Authentication for security. I have asp form pages(.aspx) at client side. Is there any way to implement Antiforgery in this scenario. please describe i detail. I have done it in cshtml pages but found no any way to implement it in .aspx forms.

You might have found the solution for this, still adding reference to the page where you can find how to use CSRF prevention in ASP.Net
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Related

How to implement antoforgery token in global.asax?

To prevent CSRF attack, its required to implement antiforgery token for asp.net website (not for MVC) in our project. We are not able to find it in google. Its better if we implement it in global.asax. Kindly help. Thanks in advance.
Which version of .net are you working with? Certain versions have it built into the Master page, otherwise if you need to see what it looks like in a webforms project you can check:
https://software-security.sans.org/developer-how-to/developer-guide-csrf

User Login in asp.net MVC

I am just a beginner of ASP.NET MVC. I have done some page by asp.net mvc but now I need to do form log in by using MVC. The login user name and password are store in database. Can anyone propose or share me some idea of how to do that? I really have no idea about that. Thanks.
Since you are new to Asp.net MVC, I would suggest you to follow a tutorial which will provide a great insight of how things shape up in this new framework. You can follow the Tutorial MVC Music Store from asp.net
It contains all the basic ingredients of a web application from user authentication to CRUD operations.
You may configure your web-app via Form Authentication. Take a look at tutorial - Authenticating Users with Forms Authentication. and SO thread - User authentication and authorisation in ASP.NET MVC

authorization module in asp.net

I was wondering if there was an example or a blogpost to show how to do the authorization module in asp.net.
dynamically allow roles to a page or folder
ASP.Net supports Forms Authorization. Here is a good blogpost how to use it:
http://support.microsoft.com/kb/301240
I am hoping that this is best for how to do authorization in asp.net along with authorization ,it will also explains authentication also...

asp.net mvc3, how do I authenticate?

I need to build a "my account" application for my friend. I plan to use asp.net MVC 3.
I have to use third party API to authenticate users. if this is regular web application, it is easy, I submit the request using third party API, get response back. if this is authorized user, create a session. ON all the protected pages, i just check the session, if it is exist, then show the content, otherwise redirect back to login page.
I probably can do the same on my mvc3 project, but I know that definitely is a wrong approach. MVC3 is very flexiable. there must be a better way to do it. After I get response back from the third party API. What should I do after that? please show me some codes if you can.
Use the ASP.NET membership provider and create a custom provider to hook into your API. This gets a lot of the hard work done for you and you're not "reinventing the wheel". There's a great overview about how to do this with MVC here: http://theintegrity.co.uk/2010/11/asp-net-mvc-2-custom-membership-provider-tutorial-part-1/
Create a new MVC 3 application using the "Internet Application" template when you do file-new project.
All the code is then created for you - in visual studio click on the "ASP.NET Configuration" icon in solution explorer.
create your users and your roles
decorate your controllers and/or action methods with
[Authorize(Roles="Administrators")]
public class MyAdminOnlyController : Controller
{
}
Configure additional features such as forgotten password functionality, password resets, etc. Some additional features will require coding.
Done!
I don't think using MVC3 for authentication is anything different than regular web app. In your controller, you will send the username and password getting from the view to the API,getting the response back.
You can then save it to session and check against it on any page you want to be protected.
MVC is just the way to separate view logic, business logic and data model. The application flow is the same.
ASP.NET already build ASP.NET membership provider. The back end data can be stored in ASP.NET Configuration website, SQL Server database,Active Directory, and another database but you need to custom the authentication provider.
this is the expample for SQLServer Membership provider, for the detail documentation you can read from here
For ASP.NET Configuration management Membership provider, you can read from Music Store ASP.NET MVC tutorial in Membership and Authorization section. If you want to learn about ASP.NET MVC authentication/authorization. Music Store example is a recommended tutorial for exploring ASP.NET MVC3 feature, Entity Framework and Authentication also.

asp.net WebForms & asp.net MVC security options

What are the options for implementing secure login on a website and ensuring that the website itself as a whole is secure? - for both asp.net and mvc......
Kind regards
The easiest way would be to use the prepared winforms accounting in asp.net mvc template. Then you can use the [Authorize] attribute infront every action you want to prevent from accessing before logging in.

Resources