I am as a study project developed a website in ASP.net. In my web.config file i have autheticaion mode as windows. and i am using an appsettings connection string to connect to my SQL2005 database.
Now i want to know what kind of authentication is this?
Is this windows? forms? or anonymous authentication?
I have user table in sql 2005 and my first screen is login page. Obviously this user table has login details like username and password which will be matched to user input.
I dont understand i have read so many post on authorization and authienticaion but please clear me on this. Thanks in advance.
You are currently using Windows authentication. Your Windows username and password is used to authenticate you to asp.net.
A login page writing to a user table would be asp.net forms authentication.
Note that sql server authentication is a totally separate issue. It is up to your code to authenticate against your database. When doing so, the connection string in web.config file can be used.
If you want customize your credentials of string connection in order to access your DataBase, you can use Integrated Security
or Trusted_Connection
When the value is true, the current credentials of the Windows account used for authentication.
Nota : in yur case i think that you can use FormsAuthentification (You have Windows Authentification)
Link : http://msdn.microsoft.com/fr-fr/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.80).aspx
Forms Authentification :
<authentication mode="Forms">
<forms loginUrl="~/login.aspx">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
After your click
if (IsAuthenticatedValue) //You can adjust your condition
{
FormsAuthentication.RedirectFromLoginPage (.., ..);
}
else
{
Console.WriteLine("Invalid credentials. Please try again.");
}
Link : http://msdn.microsoft.com/fr-fr/library/xdt4thhy(v=vs.80).aspx
In addition to the other answer here:
Once the user is logged in, create a Session and store the fact they are logged in using that such as
Session["LoggedIn"] = true;
Session["Username"] = username;
Then check if they are logged in using your Code and authorise access to the page using that. So on page load if they logged in continue loading the page, else send them to the login page.
When you want to log the user off simply do Session.Clear();
Related
ASP.NET Web Forms applications.
I checked our company's legacy code, the way they do login is like this:
when user is validated against database with (username, password), they set a session:
Session["authenticated"] = "true";
Every page other than login.aspx is inherited from a class named SecurePage. In SecurePage's OnInit() method, it checks
if (Session["authenticated"] != null)
if true, means authenticated, otherwise means not. So basically the way to do authentication is to see if there is a session named authenticated.
This seems the most crude and intuitive way of doing authentication... I want to ask: is this safe?
Another thing I feel strange is that in the web.config, they have this:
<authentication mode="Windows" />
Shouldn't it be
<authentication mode="Forms" />
since these are web applications? Users credentials are stored in database and these users are outside clients (not internal users).
A slight different version also does this after user is validated against database:
FormsAuthentication.SetAuthCookie( username, true );
what does this do? Besides this statement in login.aspx, I don't see any other pages have any code related to auth cookie. Do we need to set auth cookie by ourselves in code or does .NET framework handle this for us already?
Still another version have the following:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(login, false, 60);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
Response.Cookies.Add(cookie);
what does this do? Do we need to set this cookie by ourselves in code? or does .NET framework handle this for us already?
These web appliations were developed a long time ago, though I am not sure when. I suspect it is .NET 1.0 era? From my understanding since .NET 2.0,
it has this ASP.NET membership thing, and we can just use <authentication> and <authorization> tags in web.config (and subfolder web.config) to achieve the goal of authentication and authorization. Isn't it? Can anyone give me a history of ASP.NET framework authentiation mechanism? (membership -> simple memebership -> Identity?)
<authentication mode="Windows" />
Above should be used mostly in intranet website, because it's like saying use the computer(windows pc) authentication to access the resource. However, this will never work, since inherited class has a method to validate session key value for a login.
You should make sure that the code redirects user to login page in case the session key is not found. That means, in the else section of below code, you should take users to login page to try again. Which I am sure is happening.
if (Session["authenticated"] != null)
{ /*user is authenticated*/ }else{ /*redirect to login*/ }
Its is recommended to use <authentication mode="Forms" /> if the website is accessible over the internet. Other benefit of using this setting is that you can set default and login page.
Finally, FormsAuthenticationTicket is a class with property and values that are used when working with Forms authentication to identify authenticated users.
Read through msdn article to know more about asp.net membership.
https://msdn.microsoft.com/en-us/library/yh26yfzy%28v=vs.140%29.aspx
This question already has answers here:
Encrypt cookies in ASP.NET
(2 answers)
Closed 9 years ago.
I have a login page with "remember me" option.
If the user wished to save his credentials in system using "remember me" option the details are saved using cookies.
The next time the user visits the site the credentials are taken from cookies as expected.
I noticed that as these values are not encrypted while saving in cookie. So I can use "Inspect element" of chrome for finding the value of password textbox(Taken from cookie)
In any way i can prevent this. Either
Encrypt the values while saving to cookie
Even if user user "Inspect Element" he will not be able to see the value of textbox(Almost Impossible I guess)
Are you using the credentials to log in the user for each request? I think you should reconsider your strategy, to do an authorization once, and then use something like FormsAuthentication which would create an encrypted session cookie which would contain the user identity.
Then you do not need to keep logging in the user, and you wouldn't need to worry about encrypting a standard cookie either (which is a very dangerous approach anyway).
For e.g. your login handling code could do:
string username = // get username;
string password = // get password;
bool rememberMe = // get remember me setting.
if (YourAuthenticationSystem.Authenticate(username, password))
{
FormsAuthentication.SetAuthCookie(username, rememberMe);
}
As you can see, this method has support for a 'remember me' option.
You will need the web.config code:
<authentication mode="Forms">
<forms name="TheNameOfYourAuthCookie" loginUrl="http://yourdomain.com/Login" path="/" domain="" timeout="40320" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Read more about FormsAuthentication here: http://msdn.microsoft.com/en-us/library/xdt4thhy(v=vs.100).aspx
To encrypt the message / text like passwords you can use some DSA algorithm, which will work based on Key and some Prime numbers,
other way to encrypt by using the Hash Tables / some inbuilt stored Procedures like Membership in C# uses this encryption which is not possible to hack so easily...
I recommend you not to use cookies to store text like passwords using
encryption. use session variables to start and stop sessions, when
sessions are stared and authenticated the browser itself asks to save
your password.. etc.
The best way any developer usually uses to secure the authentication
using the tool in c# called as Membership. ( which provides all
features like Log-in, Log-Out, User , Remember_Me etc built in
features... by Microsoft c#. Please make use of it.
For More info:
Membership - Log-in Cookies and Sessions Microsoft site
Try setting the value as encrypted text
Response.Cookies['cookieName'].Value = MyEncryptMethod(model.rememberMe);
To get the current logged in user at the system I use this code:
string opl = System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
I work on an ASP.NET application where I need this information. So I've put my application on a server and tried the code above, and I get "Network Service" in the string opl. I need to know the current user of the PC who accesses my ASP.NET application.
The quick answer is User = System.Web.HttpContext.Current.User
Ensure your web.config has the following authentication element.
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Further Reading: Recipe: Enabling Windows Authentication within an Intranet ASP.NET Web application
Using System.Web.HttpContext.Current.User.Identity.Name should work.
Please check the IIS Site settings on the server that is hosting your site by doing the following:
Go to IIS → Sites → Your Site → Authentication
Now check that Anonymous Access is Disabled & Windows Authentication is Enabled.
Now System.Web.HttpContext.Current.User.Identity.Name should return something like this:
domain\username
If you're using membership you can do: Membership.GetUser()
Your code is returning the Windows account which is assigned with ASP.NET.
Additional Info Edit:
You will want to include System.Web.Security
using System.Web.Security
The best practice is to check the Identity.IsAuthenticated Property first and then get the usr.UserName like this:
string userName = string.Empty;
if (System.Web.HttpContext.Current != null &&
System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
System.Web.Security.MembershipUser usr = Membership.GetUser();
if (usr != null)
{
userName = usr.UserName;
}
}
You can simply use a property of the page. And the interesting thing is that you can access that property anywhere in your code.
Use this:
HttpContext.Current.User.Identity.Name
Don't look too far.
If you develop with ASP.NET MVC, you simply have the user as a property of the Controller class. So in case you get lost in some models looking for the current user, try to step back and to get the relevant information in the controller.
In the controller, just use:
using Microsoft.AspNet.Identity;
...
var userId = User.Identity.GetUserId();
...
with userId as a string.
The general consensus answer above seems to have have a compatibility issue with CORS support. In order to use the HttpContext.Current.User.Identity.Name attribute you must disable anonymous authentication in order to force Windows authentication to provide the authenticated user information. Unfortunately, I believe you must have anonymous authentication enabled in order to process the pre-flight OPTIONS request in a CORS scenario.
You can get around this by leaving anonymous authentication enabled and using the HttpContext.Current.Request.LogonUserIdentity attribute instead. This will return the authenticated user information (assuming you are in an intranet scenario) even with anonymous authentication enabled. The attribute returns a WindowsUser data structure and both are defined in the System.Web namespace
using System.Web;
WindowsIdentity user;
user = HttpContext.Current.Request.LogonUserIdentity;
I ran in the same issue.
This is what worked for me:
Setting up Properties of Windows Authentication in IIS
NTLM has to be the topmost.
Further Web.config modifications, make sure you already have or add if these do not exist:
<system.web>
<authentication mode="Windows" />
<identity impersonate="true"/>
</system.web>
<!-- you need the following lines of code to bypass errors, concerning type of Application Pool (integrated pipeline or classic) -->
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
See below a legit explanation for the two nodes and
Difference between <system.web> and <system.webServer>?
And, of course , you get the username by
//I am using the following to get the index of the separator "\\" and remove the Domain name from the string
int indexOfSlashChar = HttpContext.Current.User.Identity.Name.IndexOf("\\");
loggedInWindowsUserName = HttpContext.Current.User.Identity.Name.Substring(indexOfSlashChar + 1);
I am developing a website in which I'm using forms authentication.
We have 2 log in pages: one for user, another for admin.
I added this code into webconfig file for user.
<forms loginUrl="Login.aspx" defaultUrl="Home.aspx" >
I am using this code for user side when user successfully logged in.
FormsAuthentication.RedirectFromLoginPage (UserName.Text, chkPersistCookie.Checked)
I am not using the default user membership database. I have my own database in SQL Server 2005.
I want same thing for admin, but the default url is Admin.aspx & login url is adminlogin.aspx for admin.
How can i assign in web config file for admin? Is it the right way to do that or any one have some better concept for that?
I used This line of code and this worked for me.
FormsAuthentication.SetAuthCookie(txtUser.Text, true);
Response.Redirect("Admin.aspx");
Putting admin files to a folder and creating a web.config file in it, is an option. You can probably override the config rules there.
I have created a site in ASP.NET 3.5 & I have only 2 or 3 user login IDs who can login to the website.
What would be the best way to save these login details? Which of these approaches, or others, would be most suitable?
Using Forms Authentication, and saving credentials (username and password) in web.config
to create a text file in directory and modify it
Which approach is best from a security and maintenance perspective? What other approaches are suitable for a login system for ASP.NET?
Use the default ASP.NET Sql Membership Provider. The link will show you how to used it and get it configured.
Do you already have a database? If so, use forms authentication and ASP.NET membership like everyone says. It is real simple to integrate into your current database (assuming it's sql server - i don't know about others). I realize adding a DB for 2 or 3 users isn't always an option due to budget or whatever so you can use forms authentication and store the user in the web.config. I've done this in the past and it is very simple.
Your web.config will look like:
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
<credentials passwordFormat="Clear">
<user name="myUser" password="password" />
</credentials>
</forms>
</authentication>
Then you can use the built in login controls. If you do it this way you need to implement the Autenticate event.
protected void Login1_Authenticate(object sender, System.Web.UI.WebControls.AuthenticateEventArgs e)
{
string UserName = Login1.UserName;
string Password = Login1.Password;
if (FormsAuthentication.Authenticate(UserName, Password))
{
e.Authenticated = true;
}
else
{
e.Authenticated = false;
}
}
Of course this isn't the most secure way to go about this, and you'll probably want to at least look at encrypting the credentials in the web.config, but it is simple and works when a database isn't an option.
With ASP.NET you can use some of the built-in/provided authentication providers that let you manage the users in a database and it uses proper guidelines like hashing passwords, etc. by default.
You could use ASP.NET membership. Even though you won't have many users, it handles all of the authentication details for you.