aspnet.jpg (2007 bytes)

Security in ASP.NET

The first problem in security is authentication.  Authentication usually comes in the form of a password or a personal identification number.  Authentication has in the past been the most difficult part of security design.  A password cannot be sent over a network, even if it is encrypted.  ASP.NET supports three different support mechanisms for authentication.  Each will be described in a separate manner.  The three include Windows, Forms, and Passport.

Windows
ASP.NET supports Windows-based authentication.  This means it is delegating the authentication process to the IIS.  The IIS can be programmed to pop up a dialog box to accept an ID and password.  The credentials must match the Windows credentials to which the IIS host resides.  Windows authentication works well for Windows-only Intranets in large corporations.  It should not be used on the open Internet though when the server connects with any system.

Forms Based Authentication
Most designers of real life web applications use form based or cookie authentication.  If the user is asking for a file that the site has deemed necessary for authentication, the user must enter an ID and password.  The server compares this with ID and password information in a database.  The server then provides a cookie representing a successful login.  The browser will automatically send the cookie in the request header section of every subsequent page the user is accessing.  The programmer can set up ASP.NET to automatically perform form-based authentication using user ID’s and passwords stored in XML configuration files.

Passport Authentication
Forms authentication is fine and dandy but many times the username and passwords a person can pile up are difficult to remember.  Microsoft Passport is one way to eliminate this need to remember usernames and passwords.  The passport server by Microsoft allows the user to pick one username and password and all participating companies who require authentication will automatically fill out information stored in the Passport cookie.  This service is not widely used as of yet and may not be in the future, but since it is Microsoft based and this is a Microsoft .NET project, we felt it would be nice to mention it.