Forms authentication
Download as PPT, PDF0 likes455 views
This document discusses forms authentication in ASP.NET. It shows how to store user credentials in the web.config file and authenticate users against those credentials. It also discusses hashing passwords for secure storage in web.config, creating persistent login cookies, and issues with storing credentials directly in web.config like lack of security and poor performance.
![Store Hashed password in web.config
file
ConfigurationSectionGroup SystemWeb =
MyConfig.SectionGroups["system.web"];
AuthenticationSection AuthSec =
(AuthenticationSection)SystemWeb.Sections["auth
entication"];
AuthSec.Forms.Credentials.Users.Add(
new FormsAuthenticationUser(UsernameText.Text,
PasswordText.Text));
MyConfig.Save()](https://image.slidesharecdn.com/formsauthentication-150830134526-lva1-app6891/85/Forms-authentication-8-320.jpg)
Forms authentication
- 2. Storing Password in web.config file <authentication mode="Forms"> <!-- Detailed configuration options --> <forms name="MyCookieName" loginUrl="DbLogin.aspx" timeout="20"> <credentials passwordFormat="Clear"> <user name="Admin" password="(Admin1)"/> <user name="Mario" password="Szpuszta"/> <user name="Matthew" password="MacDonald"/> </credentials> </forms> </authentication>
- 3. Login code protected void LoginAction_Click(object sender, EventArgs e) { if (FormsAuthentication.Authenticate(UsernameTe xt.Text, PasswordText.Text)) { FormsAuthentication.RedirectFromLoginPage(User nameText.Text, false); }
- 4. Authenticate Method • Validates a user name and password against credentials stored in the configuration file for an application.
- 5. Hashing of Password • Password can not be plain text. • There are various Hashing mechanisms supported by asp.net. – MD5 – SHA1
- 6. HashPasswordForStoringInConfigFile Method • Produces a hash password suitable for storing in a configuration file based on the specified password and hash algorithm. • It takes two parameters. • The first parameter specifies the clear-text password, and the second one specifies the hash algorithm you should use.
- 7. Example • string hashedPwd = FormsAuthentication.HashPasswordForStorin gInConfigFile(clearTextPassword, "SHA1"); • The result of the method call is the hashed version of the password. This result needs to be stored in the web.config
- 8. Store Hashed password in web.config file ConfigurationSectionGroup SystemWeb = MyConfig.SectionGroups["system.web"]; AuthenticationSection AuthSec = (AuthenticationSection)SystemWeb.Sections["auth entication"]; AuthSec.Forms.Credentials.Users.Add( new FormsAuthenticationUser(UsernameText.Text, PasswordText.Text)); MyConfig.Save()
- 9. Cookieless Forms Authentication • If you don’t want the runtime to use cookies, you configure this through the cookieless attribute of the <forms /> tag in the <authentication /> section
- 10. Example <authentication mode="Forms"> <!-- Detailed configuration options --> <forms name="MyCookieName" loginUrl="DbLogin.aspx" cookieless=”AutoDetect” /> </authentication>
- 12. Cont
- 13. Is Web.config good place to store credentials ?
- 14. Problems with Web.Config • Potential lack of security. • No support for adding user-specific information. • Poor performance with a large number of users.
- 15. Persistent Cookie • Meaning of Creating Persistent cookie is that It will maintain user information across various browser sessions. • If cookie is persistent then even user closes browser and reopens it , the session would be running. • Session is killed only with use of SignOut Method.
- 16. Explicitly killing session • Persistent cookies are not affected by the timeout attribute that is set in the <forms> element of the web.config file. • If you want the persistent cookie to eventually expire sometime in the future, you have to use the GetAuthCookie() method of FormsAuthentication, set the expiry date and time
- 17. Example
- 18. Thank you