Do not have to study the screenshots in this document.

It is for your
understanding.

Security - In ASP.NET

Authentication means to identify the user or in other words its nothing but to validate that he exists in your
database and he is the proper user. Authorization means does he have access to a particular resource on the
IIS website. A resource can be an ASP.NET web page, media files (MP4, GIF, JPEG etc), compressed file (ZIP,
RAR) etc.

So, the first process which happens is authentication and then authorization.

So, when the user enters ‘userid’ and ‘password’ he is first authenticated and identified by the user name.
Now when the user starts accessing resources like pages, ASP.NET authentication, videos etc, he is checked
whether he has the necessary access for the resources. The process of identifying the rights for resources is
termed as ‘Authorization’.

To put it in simple words to identify “he is shiv” is authentication and to identify that “Shiv is admin” is
authorization.

Detecting authentication and authorization: - The principal and identity objects

At any moment of time if you want to know who the user is and what kind of authentication type
he using you can use the identity object. If you want to know what kind of roles it’s associated with
then we need to use the principal object. In other words to get authentication details we need to the
identity object and to know about authorization details of that identity we need the principal object.
For instance below is a simple sample code which shows how to use identity and principal object to
display name and check roles.

Response.Write(User.Identity.Name +"<br>");
Response.Write(User.Identity.AuthenticationType + "<br>");
Response.Write(User.Identity.IsAuthenticated + "<br>");
Response.Write(User.IsInRole("Administrators") + "<br>");

Now if you run this code in IIS under anonymous mode it will display no details.

If you run the above code in IIS using some authentication mode say “Basic authentication” it will
show all the details.
Types of authentication and authorization in ASP.NET

There are three ways of doing authentication and authorization in ASP.NET:-

• Windows authentication: - In this methodology ASP.NET web pages will use local windows users
and groups to authenticate and authorize resources.

• Forms Authentication: - This is a cookie based authentication where username and password are
stored on client machines as cookie files or they are sent through URL for every request. Form-based
authentication presents the user with an HTML-based Web page that prompts the user for
credentials.

• Passport authentication :- Passport authentication is based on the passport website provided

by the Microsoft .So when user logins with credentials it will be reached to the passport website ( i.e.
hotmail, devhood, windows live etc) where authentication will happen. If Authentication is successful
it will return a token to your website.

• Anonymous access: - If you do not want any kind of authentication then you will go for
Anonymous access.

GenericPrincipal and GenericIdentity objects represent users who have been authenticated using
Forms authentication or other custom authentication mechanisms. With these objects, the role list is
obtained in a custom manner, typically from a database.

FormsIdentity and PassportIdentity objects represent users who have been authenticated with Forms
and Passport authentication respectively.
Here abc is the windows authentication use name

New user to be created as pe necessity

Windows Authentication

When you configure your ASP.NET application as windows authentication it will use local windows
user and groups to do authentication and authorization for your ASP.NET pages.

5 steps to enable authentication and authorization using Windows

For example, let us create 2 users one ‘Administrator’ and other a simple user with name ‘Shiv’. We
will create two simple ASPX pages ‘User.aspx’ page and ‘Admin.aspx’ page. ‘Administrator’ user will
have access to both ‘Admin.aspx’ and ‘User.aspx’ page , while user ‘Shiv’ will only have access to
‘User.aspx’ page.
Step 1:- Creation of web site.

Create a simple web site with 3 pages (User.aspx, Admin.aspx and Home.aspx).

Step 2:- Create user in the windows directory

Go to the windows directory and create two users say , ‘Administrator’ and ‘Shiv’.
Step 3:- Setup the ‘web.config’ file

In ‘web.config’ file set the authentication mode to ‘Windows’.

<authentication mode="Windows"/>

We also need to ensure that all users are denied except authorized users. The below code snippet
inside the authorization tag that all users are denied. ‘?’ indicates any

unknown user.
<authorization>
<deny users="?"/>
</authorization>

Step 4:- Setup authorization

Insert the below snippet in the ‘web.config’ file stating that only ‘Administrator’ users will have
access to
‘Admin.aspx’ pages.
<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="questpon-srize2\Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Step 5:-Configure IIS settings

Compile the project and upload the same on an IIS virtual directory. On the IIS virtual directory we
need to ensure to remove anonymous access and check the integrated windows authentication.
Now if you run the web application you will be popped with a userid and password box.

Once you enter credentials you should be able to see home.aspx.

In case you are not an administrator (i.e in this case its ‘shiv’) and you navigate to ‘Admin.aspx’ it will
throw an error.

In case you want to read who the user is and with what authorization rights has he logged in you
can use ‘WindowsPrincipal’ and ‘WindowsIdentity’. These two objects represent users who have
been authenticated with Windows authentication. You can also get the roles these users have.

Forms Authentication

Forms authentication is a cookie/URL based authentication where username and password are
stored on client machines as cookie files or they are sent encrypted on the URL for every request if
cookies are not supported.
Below are the various steps which happen in forms authentication:-
• Step 1:- User enters “userid” and “password” through a custom login screen developed for
authentication and authorization.
• Step 2:- A check is made to ensure that the user is valid. The user can be validated from
‘web.config’ files, SQL Server, customer database, windows active directory and various other kinds
of data sources.

• Step 3:- If the user is valid then a cookie text file is generated on the client end. This cookie test file
signifies that the user has been authenticated. Hence forth when the client computer browses other
resources of your ASP.NET site the validation is not conducted again. The cookie file indicates that
the user has logged in.

Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed
as the value of the forms authentication cookie with each request and is used by forms authentication, on the
server, to identify an authenticated user.

However, if we choose to use cookieless forms authentication, the ticket will be passed in the URL in an
encrypted format. Cookieless forms authentication is used because sometimes the client browsers block
cookies. This feature is introduced in the Microsoft .NET Framework 2.0.

Forms authentication using ‘web.config’ as a data

store
Step 1:- The first thing we need to do is make an entry in to the web.config file with authentication
mode as forms as shown below. We need to also provide the following things :-

• LoginUrl :- This property helps us to provide the start page of authentication and authorization.

• defaultUrl :- Once the user is validated he will be redirected to this value , currently its
“Home.aspx”.

• Cookieless :- As said previously forms authentication uses cookies. There are four ways by which
you can change this behavior :-

oAutoDetect: - Depending on your browser configuration it can either use cookies or pass the
authentication information encrypted via browser URL.

o UseCookies: - You would like the forms authentication mechanism to create cookie when the
authentication is successful.

o UseURI :- You would like to pass data encrypted via the browser URL query string.

o UseDeviceProfile :- This is the default value. When you set this value the forms authentication
mechanism will do look up at
“C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers” to see if the browser
support cookies and then decides whether it should use cookies or should not. In other words it
does not check on actual runtime if the browser has cookies enabled.

• Credentials: - In the credentials tag we have also some users with name and password. As said
previously we will first use forms authentication with username’s stored in web.config files.

<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="30" defaultUrl="Home.aspx" cookieless="AutoDetect">
<credentials passwordFormat="Clear">
<user name="Shiv" password="pass@123"/>
<user name="Raju" password="pass@123"/>
</credentials>
</forms>
</authentication>

Different customization values for ‘cookieless’ property.

If you set the cookieless as ‘UseDeviceProfile” it will use the browser data from a file stored in the
system.
Step 2:- Once you have set the “forms” tag values , it’s time to ensure that anonymous users are not
able to browse your site. You can set the same by using the authorization tag as shown in the below
code snippet.

<authorization>
<deny users="?"/>
</authorization>

Step 3:- We also need to define which user have access to which page. In this project we have
created two pages “Admin.aspx” and “User.aspx”. “Admin.aspx” is accessible to only user “Shiv” while
“Admin.aspx” and “User.aspx” is accessible to both the users.

Below web.config settings show how we can set the user to pages.

<location path="Admin.aspx">
<system.web>
<authorization>
<allow users="Shiv"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="User.aspx">
<system.web>
<authorization>
<allow users="Shiv"/>
<allow users="Raju"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Step 4 :- We now create our custom page which will accept userid and password.

In the button click we provide the below code. The “FormsAuthentication.Authenticate” looks in the
web.config the username and passwords. The “FormsAuthentication.RedirectFromLoginPage”
creates cookies at the browser end.

If you run your application , enter proper credentials , you should be able to see a cookie txt file
created in the system.

If you disable cookies using the browser settings, credentials will be passed via query string.
Forms Authentication can also be done using SQL server as a data store
and using ASP.NET Membership and role

Passport Authentication
Passport authentication is based on the passport website provided by the Microsoft.
So when user logins with credentials it will be reached to the passport website ( i.e.
hotmail, devhood, windows live etc) where authentication will happen. If
Authentication is successful, it will return a token to your website.

Passport authentication relies on a centralized service provided by Microsoft. Passport authentication

identifies a user with using his or her e-mail address and a password and a single Passport account can be
used with many different Web sites. Passport authentication is primarily used for public Web sites with
thousands of users.
Passport authentication can be used when ever you are using a single username password combination to
authenticate in to a group of website. The simplest exampleis that of a google gmail account. with a single
emailid password combination you are able to access youtube, gmail, google+, blogger and most of the
google web appplications.

https://www.youtube.com/watch?v=pRzzK3dGog0