.config file
Root/webform1.aspx
test page
Root/login_credentials.aspx
login page
Root/encode.aspx
form to SHA1 encode a password for <credentials>
Root/secure/web.config
directives to override security for this sub-directory to deny anonymous access
Root/secure/webform1.aspx
test page
Conclusions
We’ve looked at the new security features of ASP.Net focusing particularly on an application scenario where forms based authentication uses the credentials section of web.config, but presenting this in the context of wider security issues.
In summary you should consider forms based authentication when:
User names and passwords are stored somewhere other than Windows Accounts (it is possible to use forms authentication with Windows Accounts but in this case Integrated Windows authentication may well be the best choice).
You are deploying your application over the Internet and hence you need to support all browsers and client operating systems.
You want to provide your own user interface form as a logon page.
You should not consider forms based authentication when:
You are deploying an application on a corporate intranet and can take advantage of the more secure Integrated Windows authentication.
You are unable to perform programmatic access to verify the user name and password.
Further security considerations for forms based authentication:
If users are submitting passwords via the logon page, you can (should?) secure the channel using SSL to prevent passwords from being easily obtained by hackers.
If you are using cookies to maintain the identity of the user between requests, you should be aware of the potential security risk of a hacker "stealing" the user''''s cookie using a network-monitoring program. To ensure the site is completely secure when using cookies you must use SSL for all communications with the site. This will be an impractical restriction for most sites due to the significant performance overhead. A compromise available within ASP.Net is to have the server regenerate cookies at timed intervals. This policy of cookie expiration is designed to prevent another user from accessing the site with a stolen cookie.
Finally, different authorities are appropriate for form-based authentication for different problem domains. For our considered scenario where the number of users was limited as we were only protecting a specific administrative resource credentials / XML file based authorities are adequate. For a scenario where all site information is ‘protected’ a database authority is most likely to be the optimal solution.
References
ASP.Net: Tips, Tutorial and Code Scott Mitchell et al. Sams
.Net SDK documentation
Various online articles, in particular:
ASP.Net Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.Net and IIS -- MSDN Magazine, April 2002 http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx An excellent and detailed introduction to IIS and ASP.Net security issues.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp Authentication in ASP.Net: .Net Security Guidance