IntroductionWhat is the one thing forums, eCommerce sites, online email websites, portal websites, and social network sites all have in common? They all offer user accounts. Sites that offer user accounts must provide a number of services. At a minimum, new visitors need to be able to create an account and returning visitors must be able to log in. Such web applications can make decisions based on the logged in user: some pages or actions might be restricted to only logged in users, or to a certain subset of users; other pages might show information specific to the logged in user, or might show more or less information, depending on what user is viewing the page.
This is the first tutorial in a series of tutorials that will explore techniques for authenticating visitors through a web form, authorizing access to particular pages and functionality, and managing user accounts in an ASP.NET application. Over the course of these tutorials we will examine how to:
* Identify and log users in to a website
* Use ASP.NET’s Membership framework to manage user accounts
* Create, update, and delete user accounts
* Limit access to a web page, directory, or specific functionality based on the logged in user
* Use ASP.NET’s Roles framework to associate user accounts with roles
* Manage user roles
* Limit access to a web page, directory, or specific functionality based on the logged in user’s role
* Customize and extend ASP.NET’s security Web controls
These tutorials are geared to be concise and provide step-by-step instructions with plenty of screen shots to walk you through the process visually. Each tutorial is available in C# and Visual Basic versions and includes a download of the complete code used. (This first tutorial focuses on security concepts from a high-level viewpoint and therefore does not contain any associated code.)
In this tutorial we will discuss important security concepts and what facilities are available in ASP.NET to assist in implementing forms authentication, authorization, user accounts, and roles. Let’s get started!
Note: Security is an important aspect of any application that spans physical, technological, and policy decisions and requires a high degree of planning and domain knowledge. This tutorial series is not intended as a guide for developing secure web applications. Rather, it focuses specifically on forms authentication, authorization, user accounts, and roles. While some security concepts revolving around these issues are discussed in this series, others are left unexplored.
Authentication, Authorization, User Accounts, and Roles
Authentication, authorization, user accounts, and roles are four terms that will be used very often throughout this tutorial series, so I’d like to take a quick moment to define these terms within the context of web security. In a client-server model, such as the Internet, there are many scenarios in which the server needs to identify the client making the request. Authentication is the process of ascertaining the client’s identity. A client who has been successfully identified is said to be authenticated. An unidentified client is said to be unauthenticated or anonymous.
Secure authentication systems involve at least one of the following three facets: something you know, something you have, or something you are. Most web applications rely on something the client knows, such as a password or a PIN. The information used to identify a user – her username and password, for example – are referred to as credentials. This tutorial series focuses on forms authentication, which is an authentication model where users log in to the site by providing their credentials in a web page form. We have all experienced this type of authentication before. Go to any eCommerce site. When you are ready to check out you are asked to log in by entering your username and password into textboxes on a web page.
In addition to identifying clients, a server may need to limit what resources or functionalities are accessible depending on the client making the request. Authorization is the process of determining whether a particular user has the authority to access a specific resource or functionality.
A user account is a store for persisting information about a particular user. User accounts must minimally include information that uniquely identifies the user, such as the user’s login name and password. Along with this essential information, user accounts may include things like: the user’s email address; the date and time the account was created; the date and time they last logged in; first and last name; phone number; and mailing address. When using forms authentication, user account information is typically stored in a relational database like Microsoft SQL Server.
Web applications that support user accounts may optionally group users into roles. A role is simply a label that is applied to a user and provides an abstraction for defining authorization rules and page-level functionality. For example, a website might include an “Administrator” role with authorization rules that prohibit anyone but an Administrator to access a particular set of web pages. Moreover, a variety of pages that are accessible to all users (including non-Administrators) might display additional data or offer extra functionality when visited by users in the Administrators role. Using roles, we can define these authorization rules on a role-by-role basis rather than user-by-user.
All these information is based on the Article bublished by Mr
Scott Mitchell in asp.net
you can visit it http://www.asp.net/learn/security/tutorial-01-cs.aspx and download source code.
