I have no idea how security works in .net, could someone explain me?

Hi,

I had experience developing an e-commerce website, but its just a school project, so I have no idea how big is the difference between school projects and real-world projects. Now I am developing a real-world ecommerce website, which even make me confuse. What I like to do is to create a user area.
In classic asp, what I need to do is to write a boolean to a cookie if the user has entered the username and the password correctly, and add some script to those member pages to detect the if cookie. If it is not a sucessful login, the script will redirect the end user to the login page. All make sense to me, apart that I'm not sure what security issue im acing.
However, in asp.net, what I need to do is to locate the login path into the web.config file (??), how can I tell if which page is allowed to access after login and pages can be browsed by anyone?
Tommy
0
tommychan
3/26/2004 3:26:03 PM
asp.net.security 27051 articles. 1 followers. Follow

1 Replies
748 Views

Similar Articles

[PageSpeed] 52

It's not really that difficult. First of all we have the authentication part which specifies how users should be authenticated, for example using Windows authentication or using forms authentication. The second part of the entire story is the authorization part which tells ASP.NET "what a certain user can do to what", for example, "which users can access a page, etc". This principle is based on users or roles (groups of users) and can be specified on a per-folder or per-file basis. An example:


<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name="AuthCookie" path="/" loginUrl="login.aspx" protection="All" timeout="10">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>

</system.web>
<location path="unsecure">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>

This piece of code in web.config tell which page is the forms authentication page (i.e. login.aspx) and how people can access the site. In here, no unauthenticated users are allowed in the root folder, but the "unsecured" subfolder is completely opened to everyone. Using the <location>-tag you can override settings (for example, the <authorization> section) for files, subfolders, etc.
Bart De Smet [MVP]



Visit www.msdn.be, www.bartdesmet.net
0
bdesmet
3/27/2004 9:52:27 PM
Reply:

Similar Artilces:

(IN)SECURE Magazine from Net-Security (PDF download)
A little more light reading :-) Latest issue, #13: http://www.net-security.org/insecuremag.php (86 pages, with ads [not animated ads] - like a printed magazine) Archives of past issues: http://www.net-security.org/insecure-archive.php ISSUE 13 (September 2007) * Interview with Janne Uusilehto, Head of Nokia Product Security * Social engineering social networking services: a LinkedIn example * The case for automated log management in meeting HIPAA compliance * Risk decision making: whose call is it? * Interview with Zulfikar Ramzan, Senior Principal Re...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

.net Security
Hi.Please explain me about declarative security & imperative security.Thanks in advance.(If this has answered your question, please click on "Mark as Answer" on this post. Thank you!)Best Regards,Michael SyncMicrosoft WPF & Silverlight InsiderBlog : http://michaelsync.net Declarative security is where you establish Code Access Security requirements through the use of attributes attached to classes and methods. Imperative security is where you interact with the security engine using method calls.RegardsDave Thanks so much..(If this has answered your question, please clic...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

Security Briefs: Security Enhancements in the .NET Framework 2.0
Security Briefs: Security Enhancements in the .NET Framework 2.0 http://msdn.microsoft.com/msdnmag/issues/05/01/SecurityBriefs/default.aspx *********************************************************** Quote *********************************************************** As I write this column, version 2.0 of the Microsoft .NET Framework is at Beta 1. When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1.1 as well as 2.0. I then used WINDIFF.EXE to compare the two text files, and s...

Security in .net
Dear friends i have created applications projects and also  give the permission to download through web.but every month client have to  get new registration number then only that applications will work.other wise it will get expires .give the idea how to do that .. Hi, inbaathere are a lot of ways to implement such an application. You have 2 main choices to make - to use the direct URL to your file (for example http://yoursite.com/downloads/somefile.zip) or to use common download page ( for example http://yoursite.com/download.aspx?fileId=23423154243 ).1) If you choose the first ...

Is .NET Secure?
Here's the scenario. I want to develop a website that is hosted by a third party (shared web host initially) that contains sensitive data.    I encrypt / decrypt the data (that is stored on the SQL server encrypted) at the data access tier to StringBuilders and pass them up the business logic layer to the presentation layer. When the data hits the presentation tier, in this case the web page, I must convert them to String so that I can display them as you cannot simply point web controls to StringBuilders . When the page is rendered, these strings&nbs...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

about net security
Name: Nasir Email: nasi81ataoldotcom Product: Firefox Summary: about net security Comments: Dear Sir Please tell me that if I use firefox for browsing any type of web site, can it would be checked by my administrator that which type of web sites are to be open at my system or not? Mean the Administrator can check or not the sites which I used to open at my system? Waiting your reply Thanks & Regards Nasir Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 From URL: http://hendrix.mozilla.org/ Note ...

Security in .NET
hi All, I m make a application, here, user can view some page or some not, So which type of security i can use, Page Level security means, every time when page,this check user is valid or not, or User level, means every time user login, check those pages user can visit. which type of tecnique is best regarding security and performence... plz discuss in detial thanx in advance Sajjad Please Mark as Answer, if the post Solve your Problem__________________________Regards,Sajjad RizviC U ON NETreply me : sajjaddotnet@yahoo.com Windows authentication  - for intranet scenarios. F...

Need help working around .NET security
I have problems with .NET security blocking the network programs I create.  If I use caspol to give full trust to the internet zone, then everything works fine.  I know I can use the Strong Name utility to create a strong name and add it to all my assemblies, but I would like an easier way.  Is it possible to disable .net security within my program and then re-enable it before closing the program?  I'm the network admin and I run apps that fix problems, or change account passwords, etc.  I have been told that some people will create an application in a non-.net p...

WS-Security with VS.NET 2005 Web Service and .NET 1.1 Client
We ship a webservices client piece into the field which is required to run on the .NET 1.1 version of the framework, this is defined by our business people and cannot change. We would like to work with .NET 2.0 in VS.NET 2005 for the backend Web Service piece. We are able to get the 2 to communicate fine and it is not a problem. The issue now is that we need to introduce security through WS-Security. I have not been able to find much information about interop between the 2 environments and WS-Security and cannot get the security elements to be invoked in VS.NET 2005. Currently we are trying ...

Net:Net:Net::LDAP::FAQ
------_=_NextPart_001_01C6429F.D89AA417 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, Net::LDAP Net::LDAPS Is there a possible to LDAP bind with an encrypted (SHA, SSHA, CRYPT, ....) password? I don't like to write the secret password to the perl file. Best regards Barbara Wilbert ------_=_NextPart_001_01C6429F.D89AA417-- Wilbert Barbara (CI/OSI) * wrote: > Hello, > > Net::LDAP > Net::LDAPS > > Is there a possible to LDAP bind with an encrypted (SHA, SSHA, CRYPT, > ......

ANN: Gnostice PDFOne .NET v3.01 released
We are happy to announce the immediate availability of PDFOne .NET v3.01. PDFOne .NET v3.01 includes important enhancements for deployment on 64-bit and 32-bit environments using a single set of PDFOne .NET assemblies. v3.01 also includes enhanced fault tolerance for reading PDF files and other fixes and optimizations. v3.01 is a free update to all current customers of PDFOne .NET 3.0 and the download is available through the registered downloads area on the Gnostice website. To view the full list of enhancements and fixes in PDFOne .NET 3.01, please go to: http://www.gnostice.co...

Web resources about - I have no idea how security works in .net, could someone explain me? - asp.net.security

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

Poll finds Tony Abbott's assumed security strength a misconception
Tony Abbott's principal perceived strength over Malcolm Turnbull &ndash; his uncompromising approach to national security &ndash; is an illusion, ...

Hello Barbie: Wi-fi-enabled doll labelled a bedroom security risk
Security experts warn the new Hello Barbie doll is a disaster waiting to happen.

Security breaches don't lead to a change in IT policy
... by training company QA , reveals that eight out of ten (81 percent) UK IT decision makers experienced some sort of data or cyber security breach ...

Security flaw can expose your real IP address when using a VPN
... activity to enhance privacy protection. However, a discovery has revealed that VPN services aren’t as secure as you’d think, as a huge security ...

Defending Our Homeland: The New Normal In Personal And Collective Security
This is the first installment of a 10 part series from Pulse O2DA Firearms Training

This crowdfunded router updates its own security
It's really, really, really hard to make a router sound exciting, but the folks behind the Turris Omnia are betting the device's focus on keeping ...

Resources last updated: 11/28/2015 3:08:36 PM