Lesson 2: Using Windows, Forms, Passport, and Anonymous Authentication in .NET

Creator Quick Response Code in .NET Lesson 2: Using Windows, Forms, Passport, and Anonymous Authentication

password as a command-line parameter and displaying the hash of the password. The resulting hash can be pasted directly into the Web.config file.

'VB Imports System.Security.Cryptography Imports System.Text Module Module1 Sub Main(ByVal args As String())

Dim password As Byte() = Encoding.ASCII.GetBytes(args(0))

myHash.ComputeHash(password)

Console.Write(thisByte.ToString("X2"))

Console.WriteLine()

End Sub End Module //C# using System; using System.Security.Cryptography; using System.Text; namespace HashExample { class Program { static void Main(string[] args) { SHA1CryptoServiceProvider myHash=new SHA1CryptoServiceProvider(); byte[] password = Encoding.ASCII.GetBytes(args[0]);

myHash.ComputeHash(password);

foreach (byte thisByte in myHash.Hash) Console.Write(thisByte.ToString("X2")); Console.WriteLine(); } } }

Alternatively, you can call the FormsAuthentication.HashPasswordForStoringInConfigFile method to generate a password hash. This method is described in the next section.

You should store credentials in a .config file only during testing. Protecting passwords with a hash is little deterrent to an attacker who can read the contents of the .config file, because hashed pass word databases exist that can quickly identify common passwords.

11

The FormsAuthentication class is the basis for all forms authentication in ASP.NET. The class includes the following read-only properties, which you can use to programmat ically examine the current configuration:

Returns the configured cookie name used for the current Returns the configured cookie path used for the current appli

Gets a value indicating whether the cookie must be transmitted using SSL (that is, over HTTPS only).

Gets a value indicating whether sliding expiration is enabled. Enabling sliding expiration resets the user s authentication timeout with every Web request.

Improving security (at the cost of convenience)

Disable SlidingExpiration for the highest level of security. This prevents a session from remain ing open indefinitely.

Additionally, you can call the following methods:

Attempts to validate the credentials against those contained in the configured credential store, given the supplied credentials.

Returns an instance of a FormsAuthenticationTicket class, given a valid encrypted authentication ticket obtained from an HTTP cookie. Produces a string containing an encrypted authentication ticket suit able for use in an HTTP cookie, given a FormsAuthenticationTicket object. Creates an authentication cookie for a given user name. Returns the redirect URL for the original request that caused the redirect to the login page.

Given a password and a string identifying the hash type, this routine produces a hash password suitable for storing in a configuration file. If your application stores user credentials in the Web.config

file and hashes the password, build this method into a management tool to enable administrators to add users and reset passwords.

Redirects an authenticated user back to the originally requested URL. Call this method after verifying a user s credentials with the Authenticate method. You must pass this method a string and a Boolean value. The string uniquely identifies the user, and the method uses it to generate a cookie based on that information. The Boolean value, if true, allows the browser to use the same cookie across multiple browser sessions. Generally, this unique piece of information should be the user s user name.

Conditionally updates the sliding expiration on a FormsAu thenticationTicket object. Creates an authentication ticket and attaches it to the cookie s collection of the outgoing response. It does not perform a redirect. Removes the authentication ticket, essentially logging the user off.

When using forms authentication, you must include two sections at a minimum:

To create a forms authentication page, create an ASP.NET Web form to prompt the user for credentials and call members of the System.Web.Security.FormsAuthentication class to authenticate the user and redirect him or her to a protected page. The follow ing code sample demonstrates an overly simple authentication mechanism that just verifies that the contents of usernameTextBox and passwordTextBox are the same, and then calls the RedirectFromLoginPage method to redirect the user to the page originally requested. Notice that the Boolean value passed to RedirectFromLoginPage is true, indi cating that the browser saves the cookie after the browser is closed, enabling the user to remain authenticated if the user closes and reopens his or her browser before the authentication cookie expires.

'VB If usernameTextBox.Text = passwordTextBox.Text Then FormsAuthentication.RedirectFromLoginPage(usernameTextBox.Text, True) End If //C# if (usernameTextBox.Text == passwordTextBox.Text) FormsAuthentication.RedirectFromLoginPage(usernameTextBox.Text, true);