Re: Authentication Security

From: Joe Fallon (jfallon1_at_nospamtwcny.rr.com)
Date: 11/07/04 

Date: Sat, 6 Nov 2004 22:51:56 -0500

I use 2 classes to implement IPrincipal and IIdentity.
In them you have things like IsAuthenticated and Name and Roles.
(I also add other things that are not part of the interface.)

When the user logs in you use the Login method to communicate the
crednetials to your DB and verify them.
If they are successful then you store the Principal object in Session and
RedirectFromLogin.

Forms Authentication sends them an encrypted cookie.
This lets them get past the login page to the protected pages in your app.

In Global.asax you trap the AcquireRequestState event and pull your
Principal object out of Session and set the current thread to use it. Thsi
way every page in your app has access to your custom Principal.
So at the top of each page you can write code like:
If Not MyUser.IsInRole("Admin") Then
    'Redirect to Home page
End If

HTH

PS - Rocky Lhotka's CSLA Framework explains this all in great detail.
Excellent book too.
http://www.lhotka.net/ArticleIndex.aspx?area=CSLA%20.NET 

-- 
Joe Fallon
> One, I've encountered a number of examples where they hold the role 
> information for each authenticated user in the 
> AuthenticationTicket.UserData.  How secure is this?  I would be worried 
> that the user could edit the contents of the cookie (if they knew the 
> encryption key) and grant them self's more access to areas they shouldn't 
> be allowed access to?  Would it not be more secure to hold this 
> information in the Session Object?  This would also apply to their 
> LoginID.
>
>
>
> Basically I guess I'm wondering how hard is it for them to break the 
> encryption that the AuthenticationTicket undergoes.
>
>
>
> Also, what is the standard way to limit any access to an aspx page based 
> on a roll?
>
>
>
> Finally how can I limit access to a file like a .pdf file though a .NET 
> role?
>
>
>
> Any help on any of these topics would be greatly appreciated.  Thanks in 
> advance.
>
>
>
> Cheers!
>
>
>
> David Kyle
>
> Web Developer
>
> www.chloemag.com
>
> dkyle@chloemag.com
>
>

Relevant Pages

  • Re: how to prevent clear text IMAP authorization?
    ... NEVER uses any other means of session encryption. ... SSL is NOT authentication. ... Retrying PLAIN authentication after ... ... You seem to have confused session encryption with authentication. ...
    (comp.mail.pine)
  • Re: how to prevent clear text IMAP authorization?
    ... NEVER uses any other means of session encryption. ... Authentication has the possibility of an ADDITIONAL layer of encryption, ... password to the server but instead prove that you know the password ...
    (comp.mail.pine)
  • Re: call rsh from .NET - source code?
    ... I think ssh has to be authentication as well as encryption. ... would still let anyone in - it only would stop evesdropping on a session. ...
    (microsoft.public.dotnet.framework)
  • Re: Encryption and authentication
    ... have encryption without authentication? ... it seems that encryption couldn't exist without authentication. ... and example is asymmetric key cryptography technology. ... http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked ...
    (comp.security.firewalls)
  • Re: HELP Connection error on Release mode
    ... "Off" Always display detailed ASP.NET error information. ... This section sets the authentication policies of the application. ... Set trace enabled="true" to enable application trace logging. ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.languages.csharp)