asp.net WebForms & asp.net MVC security options - asp.net

What are the options for implementing secure login on a website and ensuring that the website itself as a whole is secure? - for both asp.net and mvc......
Kind regards

The easiest way would be to use the prepared winforms accounting in asp.net mvc template. Then you can use the [Authorize] attribute infront every action you want to prevent from accessing before logging in.

Related

MVC 4 Web Api Security from C.S.R.F. Attacks

I am using asp.net mvc4 web api. I am using Form Authentication for security. I have asp form pages(.aspx) at client side. Is there any way to implement Antiforgery in this scenario. please describe i detail. I have done it in cshtml pages but found no any way to implement it in .aspx forms.
You might have found the solution for this, still adding reference to the page where you can find how to use CSRF prevention in ASP.Net
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

User Login in asp.net MVC

I am just a beginner of ASP.NET MVC. I have done some page by asp.net mvc but now I need to do form log in by using MVC. The login user name and password are store in database. Can anyone propose or share me some idea of how to do that? I really have no idea about that. Thanks.
Since you are new to Asp.net MVC, I would suggest you to follow a tutorial which will provide a great insight of how things shape up in this new framework. You can follow the Tutorial MVC Music Store from asp.net
It contains all the basic ingredients of a web application from user authentication to CRUD operations.
You may configure your web-app via Form Authentication. Take a look at tutorial - Authenticating Users with Forms Authentication. and SO thread - User authentication and authorisation in ASP.NET MVC

asp.net mvc3, how do I authenticate?

I need to build a "my account" application for my friend. I plan to use asp.net MVC 3.
I have to use third party API to authenticate users. if this is regular web application, it is easy, I submit the request using third party API, get response back. if this is authorized user, create a session. ON all the protected pages, i just check the session, if it is exist, then show the content, otherwise redirect back to login page.
I probably can do the same on my mvc3 project, but I know that definitely is a wrong approach. MVC3 is very flexiable. there must be a better way to do it. After I get response back from the third party API. What should I do after that? please show me some codes if you can.
Use the ASP.NET membership provider and create a custom provider to hook into your API. This gets a lot of the hard work done for you and you're not "reinventing the wheel". There's a great overview about how to do this with MVC here: http://theintegrity.co.uk/2010/11/asp-net-mvc-2-custom-membership-provider-tutorial-part-1/
Create a new MVC 3 application using the "Internet Application" template when you do file-new project.
All the code is then created for you - in visual studio click on the "ASP.NET Configuration" icon in solution explorer.
create your users and your roles
decorate your controllers and/or action methods with
[Authorize(Roles="Administrators")]
public class MyAdminOnlyController : Controller
{
}
Configure additional features such as forgotten password functionality, password resets, etc. Some additional features will require coding.
Done!
I don't think using MVC3 for authentication is anything different than regular web app. In your controller, you will send the username and password getting from the view to the API,getting the response back.
You can then save it to session and check against it on any page you want to be protected.
MVC is just the way to separate view logic, business logic and data model. The application flow is the same.
ASP.NET already build ASP.NET membership provider. The back end data can be stored in ASP.NET Configuration website, SQL Server database,Active Directory, and another database but you need to custom the authentication provider.
this is the expample for SQLServer Membership provider, for the detail documentation you can read from here
For ASP.NET Configuration management Membership provider, you can read from Music Store ASP.NET MVC tutorial in Membership and Authorization section. If you want to learn about ASP.NET MVC authentication/authorization. Music Store example is a recommended tutorial for exploring ASP.NET MVC3 feature, Entity Framework and Authentication also.

What default mechanisms are in place in ASP.net for user login?

I veguely remember that there was a login/logout control in my ASP.net class, but I don't know what options there are for managing user logins, the only one I'm aware of is the Windows Authentication mechanism.
I believe you're talking about ASP.NET Forms Authentication. You can read more about it here.
Here's a video tutorial on the ASP.NET Login controls:
http://www.asp.net/general/videos/login-controls
You'll probably want to take a look at Forms Authentication - you can use both Windows and Forms authentication with an ASP.NET Web application.
http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx

Shared Authentication, Membership & Roles across DNN and ASP.net applications

Here's my situation. I have a DotNetNuke application. I want to link to an existing ASP.net website from within the DNN website, and have decided to use DNN's IFrame for that.
The existing ASP.net application uses Forms Authentication for security - only authorized users can access the pages. This asp.net application also requires user roles for authorization to different pages.
I don't want users to have to sign on twice, and I'd like the asp.net page to use the user membership and role data from the DNN application - it shouldn't require it's own membership database.
Is this possible? According to the MSDN website:
"ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm. When forms authentication is enabled across multiple ASP.NET applications, users are not required to re-authenticate when switching between the applications."
Does this apply to DotNetNuke applications linking to asp.net applications? Both are on the same domain, too.
(I tried modifying the config.web of the asp.net page to work with the DNN config.web, matching machine keys and forms settings - but it didn't work. I could be doing something wrong, but before I pursue, I want to know if it's even possible.)
Thanks for any help!
I don't know if what you're talking about is possible within DNN. We're on DNN 4.0 and they do some weird things with the ASP.NET membership tables which may cause trouble.
What I can tell you is an alternative way (assuming you have control over the ASP.NET application). There is a project called MADAM (Mixed Authentication Disposition ASP.NET Modules - I know a bit of a mouthful) that can be used to provide a method other than forms authentication for application logon.
What you could do is set MADAM up on your ASP.NET application and from DNN pass user credentials to the ASP.NET application. The end result appears to the user as single sign on.
If you need me to elaborate on anything, let me know in the comments.
Actually i am displaying some aspx pages in a iframe module present on a dnn page. Now since inside the iFrame i am displaying aspx pages hosted elsewhere but on same server. I am just want to authenticate the dnn logged-in user before loading the page inside iFrame.
Do dnn provide any API which i can call from apsx pages hosted elsewhere in order to restrict access to ony unauthorized user.

Resources