asp.net mvc qr code ASP.NET Security in C#

Drawer QR Code ISO/IEC18004 in C# ASP.NET Security

19 ASP.NET Security
QR Code Printer In C#.NET
Using Barcode maker for Visual Studio .NET Control to generate, create Quick Response Code image in Visual Studio .NET applications.
www.OnBarcode.com
Read QR Code In C#
Using Barcode scanner for VS .NET Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
The original URL is attached to the query string of the request for the login page, as shown here:
Barcode Maker In Visual C#
Using Barcode creation for Visual Studio .NET Control to generate, create bar code image in .NET framework applications.
www.OnBarcode.com
Bar Code Recognizer In C#
Using Barcode scanner for VS .NET Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
http://YourApp/login.aspx ReturnUrl=original.aspx
Quick Response Code Creation In VS .NET
Using Barcode creator for ASP.NET Control to generate, create Quick Response Code image in ASP.NET applications.
www.OnBarcode.com
Painting QR-Code In .NET Framework
Using Barcode printer for .NET Control to generate, create Denso QR Bar Code image in .NET framework applications.
www.OnBarcode.com
Authenticating a user means that an authentication ticket is issued and attached to the request. When the browser places its second request for the page, the HTTP module retrieves the authentication ticket and lets the request pass. Let s see how Forms-based authentication works in practice and consider a scenario in which users are not allowed to connect anonymously to any pages in the application. The user types the URL of the page say welcome.aspx and goes. As a result, the HTTP module redirects to the login page any users for which an authentication ticket does not exist, as shown in Figure 19-3.
Generating QR Code ISO/IEC18004 In Visual Basic .NET
Using Barcode generation for Visual Studio .NET Control to generate, create QR Code image in VS .NET applications.
www.OnBarcode.com
QR-Code Printer In C#.NET
Using Barcode creation for Visual Studio .NET Control to generate, create QR image in .NET applications.
www.OnBarcode.com
FIGURE 19-3 A sample login page.
Painting 2D Barcode In C#.NET
Using Barcode printer for .NET Control to generate, create Matrix Barcode image in .NET framework applications.
www.OnBarcode.com
Drawing Barcode In C#.NET
Using Barcode maker for VS .NET Control to generate, create barcode image in .NET framework applications.
www.OnBarcode.com
Important There are inherent security concerns that arise with Forms authentication related to
Data Matrix 2d Barcode Printer In C#.NET
Using Barcode creator for .NET framework Control to generate, create Data Matrix ECC200 image in .NET applications.
www.OnBarcode.com
USPS PLANET Barcode Drawer In Visual C#
Using Barcode drawer for VS .NET Control to generate, create Planet image in .NET framework applications.
www.OnBarcode.com
the fact that any data is transmitted as clear text. Unfortunately, with today s browser technology, these potential security concerns can be removed only by resorting to secure channels (HTTPS). I ll return to this topic later in the General Security Issues section.
Code 128 Code Set B Encoder In Visual Basic .NET
Using Barcode generation for VS .NET Control to generate, create Code 128 Code Set B image in .NET framework applications.
www.OnBarcode.com
USS Code 39 Maker In Java
Using Barcode printer for Java Control to generate, create Code 39 Full ASCII image in Java applications.
www.OnBarcode.com
Part IV
Create Code 3/9 In Visual Basic .NET
Using Barcode maker for VS .NET Control to generate, create Code 3/9 image in Visual Studio .NET applications.
www.OnBarcode.com
UPC-A Maker In VS .NET
Using Barcode creation for .NET Control to generate, create UPC Symbol image in VS .NET applications.
www.OnBarcode.com
Infrastructure of the Application
Data Matrix ECC200 Drawer In Visual Basic .NET
Using Barcode printer for VS .NET Control to generate, create Data Matrix ECC200 image in .NET applications.
www.OnBarcode.com
ANSI/AIM Code 39 Recognizer In None
Using Barcode recognizer for Software Control to read, scan read, scan image in Software applications.
www.OnBarcode.com
Collecting Credentials Through Login
Creating Code 39 Extended In Objective-C
Using Barcode maker for iPhone Control to generate, create USS Code 39 image in iPhone applications.
www.OnBarcode.com
Make GTIN - 13 In None
Using Barcode maker for Font Control to generate, create EAN-13 image in Font applications.
www.OnBarcode.com
The layout of a login page is nearly the same a couple of text boxes for the user name and password, a button to confirm, and perhaps a label to display error messages. However, you can make it as complex as needed and add as many graphics as appropriate. The user enters the credentials, typically in a case-sensitive way, and then clicks the button to log on. When the login page posts back, the following code runs:
void LogonUser(object sender, EventArgs e) { string user = userName.Text; string pswd = passWord.Text; // Custom authentication bool bAuthenticated = AuthenticateUser(user, pswd); if (bAuthenticated) FormsAuthentication.RedirectFromLoginPage(user, false); else errorMsg.Text = "Sorry, yours seems not to be a valid account."; }
The event handler retrieves the strings typed in the user name and password fields and calls into a local function named AuthenticateUser. The function verifies the supplied credentials and returns a Boolean value. If the user has been successfully authenticated, the code invokes the RedirectFromLoginPage static method on the FormsAuthentication class to inform the browser that it s time to issue a new request to the original page. The RedirectFromLoginPage method redirects an authenticated user back to the originally requested URL. It has two overloads with the following prototypes:
public static void RedirectFromLoginPage(string, bool); public static void RedirectFromLoginPage(string, bool, string);
The first argument is the name of the user to store in the authentication ticket. The second argument is a Boolean value that denotes the duration of the cookie, if any, being created for the authentication ticket. If this argument is true, the cookie is given a duration that equals the number of minutes set by the timeout attribute (which is 30 minutes by default). In this way, you get a cookie that persists across browser sessions. Otherwise, your authentication cookie will last for the current session only. Finally, the third argument optionally specifies the cookie path.
Authenticating the User
The authenticating algorithm that is, the code inside the AuthenticateUser method seen earlier is entirely up to you. For example, you might want to check the credentials against a database or any other user-defined storage device. The following listing shows a (rather na ve) function that compares the user name and password against the firstname and lastname columns of the Northwind Employees table in SQL Server:
19 ASP.NET Security
private bool AuthenticateUser(string username, string pswd) { // Performs authentication here string connString = "..."; string cmdText = "SELECT COUNT(*) FROM employees " + "WHERE firstname=@user AND lastname=@pswd"; int found = 0; using(SqlConnection conn = new SqlConnection(connString)) { SqlCommand cmd = new SqlCommand(cmdText, conn); cmd.Parameters.Add("@user", SqlDbType.NVarChar, 10).Value = username; cmd.Parameters.Add("@pswd", SqlDbType.NVarChar, 20).Value = pswd; conn.Open(); found = (int)cmd.ExecuteScalar(); conn.Close(); } return (found > 0); }
The query is configured to return an integer that represents the number of rows in the table that match the specified user name and password. Notice the use of typed and sized parameters in the SQL command as a line of defense against possible injection of malicious code. Notice also that the SQL code just shown does not support strong passwords because the SQL = operator in the WHERE clause doesn t perform case-sensitive comparisons. To make provisions for that, you should rewrite the command as follows:
SELECT COUNT(*) FROM employees WHERE CAST(RTRIM(firstname) AS VarBinary)=CAST(RTRIM(@user) AS VarBinary) AND CAST(RTRIM(lastname) AS VarBinary)=CAST(RTRIM(@pswd) AS VarBinary)
The CAST operator converts the value into its binary representation, while the RTRIM operator removes trailing blanks. To capture the name of the currently logged-in user, a page should just use the following code block:
Copyright © OnBarcode.com . All rights reserved.