With the release of ASP.NET 2.0 the security infrastructure is extended significantly with a higher-level model for managing users and roles, both programmatically and with built-in administrative tools. This functionality (which is accessible through the membership and roles APIs) builds on the existing security infrastructure that has been present since ASP.NET 1.0. Of course, the ASP.NET security model is a very comprehensive part of ASP.NET, which must be carefully studied, but if you’re lacking time here is something worthy of recommendation, just to make sure you have at least something under control.
This is a segment from the MSDN whitepaper, written in the summer of 2005 (coinciding with the release of Visual Studio 2005). Although, it is almost three years old, it cannot be regarded as outdated because its information is still a great collection of “How To’s” for building secure ASP.NET applications, and they’re fully applicable for ASP.NET 3.5 applications.
I will extract only several interesting resources:
Protect forms authentication using SSL:
<forms loginUrl="Secure\Login.aspx" protection="All" requireSSL="true" timeout="00:30:00" slidingExpiration="true" name="YourAppName" path="/Secure" />
Prevent detailed errors from returning to the client:
<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />Specify a default error page:
<customErrors mode="On" defaultRedirect="ErrDefault.aspx"> <error statusCode="401" redirect="ErrUnauthorized.aspx" /> <error statusCode="404" redirect="ErrPageNotFound.aspx" /> <error statusCode="500" redirect="ErrServer.htm" /> </customErrors>
Prevent cross site scripting by encoding a user’s input:
Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));
Perform role-based authorization in code:
if(Roles.IsUserInRole("Bob", "Manager")) // Perform restricted operation else // Return unauthorized access error
Protect from SQL injection using:
- constrained input
- parameters with stored procedures and with dynamic SQL
- a least-privileged database account
And many more great samples.
RSS feed for comments on this post · TrackBack URI
Leave a reply