This is specially useful for those who missed the seminar on “Building Secure Web Applications using ASP.NET 2.0 ("Whidbey")” on Feb. 25, 2005 (by Anand M. see: http://www.microsoft.com/india/msdn/speakers.aspx#AnandM).
ASP.NET Whidbey is next version of ASP.NET (see: http://msdn.microsoft.com/asp.net/whidbey/default.aspx). Beta version of ASP.NET Whidbey is available for testing purpose. It's first release is expected in this September (so very near!!).
Basically Security as two aspects 1. Authentication and 2. Authorization. The speaker covered mainly the Authentication part with presentation and demos. The session started with some questions and difficulties the developers are getting while developing an ASP application. Major difficulties with the most of developers were writing too much code for security and support for cookies (A short line of text that a web site puts on your computer's hard drive when you access the web site) on mobile browsers. Microsoft is well known to provide solutions in which developers has to write minimum code and that also with great ease. Anand was cool as solution for both the problem was there in presentation (precisely, only that was there) ! I have described the overview of the presentation here.
At starting we came to know that in Visual Studio .net 2005 there is an integrated web server for debug purpose.
A web application need to perform many authentication. Main techniques are form authentication and role authentication. Role authentication is mainly useful for authorization activities in modern programs. Normally authentication information is stored in the cookies of the browser. But many browsers do not support cookies (mostly browsers on mobile devices). So ASP.NET provides four different type of facility for storing authentication information.
Device ID (default)
Here automatic is buzz point. If you set “Automatic” then automatically it will select Cookies or URI or Device ID (written in priority order). Cookies and URI are more secure then device ID as device ID can be tampered. So if the browse is not supporting cookies then automatically URI will be selected which is still secure at some extend (If you don't hate the ugly URI on the address bar ;-) ). Anand has given demos to show all 4 possibilities.
Now let's come on second question, i.e. reducing number of code !! Defiantly the topic of anyone's interest...
Microsoft Visual Studio .net 2005 is providing a control to authenticate the user. Just drag and drop the control on you design screen and you have done most of the work !! You can make GUI of the box of your choice by changing the parameters.
Now mention the database in which database provider's address which stores the address of database and column name for database and password. A sample database table is automatically created which has facility to store login and password information + registration details + roles information details and rest all necessary information. And you have done !
To add/update/delete information about roles, there is admin tool or MMC with GUI. You can edit .config file manually or programmatic way. You can write code to show content according to the role that user belongs to.
For registration, change password and rest of common things for authentication information maintenance.
He did this all there only.. yes.. in 2 hour seminar !
This controls give many advantage over traditional system of writing the whole code at our own. First thing is code is not just reduced... it's now redundant. Second thing is security issues (like SQL injections and all) are handled automatically as code is written by Microsoft ;) .
Now let's talk about database supported by it's first version. You can guess easily (and for obvious reason)... they MS Access and MS SQL server. We were advised to use MS Access just for debugging purpose. And for real application MS SQL.
If you want to experiment this technology then download it from Microsoft's web site. It's available as a beta release and free of cost for testing purpose.
After many yeas I sat on the first row. We got a November-December MSDN india magazine. We got a good coffee and evening snack apart from the knowledge that I have described. And of course a new experience!!
This is my first blog. Comments are invited. Visit my web site. http://www.rajput-yh.tk