Website Security

ISYS 512

Authentication

• Authentication is the process that determines the identity of a user.

Forms Authentication• Use username and password to

authenticate user. • Once the Forms authentication is enabled,

pages cannot be accessed unless the user has the proper authentication. Without authentication, user is redirected to a login page.

• If authenticated, an Authentication Ticket is issued in the form of a cookie and user is redirected back to the requested page.

Forms Authentication Ticket

• After verifying the submitted credentials, a forms authentication ticket is created for the user. This ticket indicates that the user has been authenticated and includes identifying information, such as the username. The forms authentication ticket is stored as a cookie on the client computer. Therefore, subsequent visits to the website include the forms authentication ticket in the HTTP request, thereby enabling the web application to identify the user once they have logged in.

Forms Authentication Flow

User

Authenticated? Login Page

No, redirect to

Website

Yes

Authenticated?

No, redirect to

Yes, write Authentication Ticket as cookie

Yes

Enabling Forms Authentication• Set the authentication mode for the application

by modifying the authentication section in the application root web.config file:

<authentication mode="Forms">

• Deny access to anonymous users by modifying the authentication section in the web.config file:<authorization>

<deny users="?" />

</authorization>

• Create a login page that enables users to enter their usernames and passwords.

• If authenticated, an authorization ticket is issued in the form of a cookie.

Example of Web.configure File

<configuration>

<system.web> <authorization> <deny users="?"/> </authorization> <authentication mode="Forms"> <forms loginUrl="Login.aspx" /> </authentication> </system.web>

</configuration>

FormsAuthentication Class

• Must import System.Web.Security namespace.– using System.Web.Security;

• Methods:– RedirectFromLoginPage(String, boolean)

• Redirect user back to the page that sent the user to the login page, and write a cookie named .ASPXAUTH containing an Authentication Ticket.

– SignOut• Removes the forms-authentication ticket from the browser.

– RedirectToLoginPage()• Redirects the browser to the login URL.

Assuming user names and password are stored in a table

• Database table name: users

• Fields:– UserID, varchar(10)– Password, varchar(20)– Email, varchar(20)

Login Control• Category Login/Login

• Properties:– UserName– Password

• Event:– Login1_Authenticate

Must Turn Off UnobtrusiveValidationMode:(It simply means we do Not Using jQuery)

protected void Page_Load(object sender, EventArgs e) { Page.UnobtrusiveValidationMode = System.Web.UI.UnobtrusiveValidationMode.None; }

Code Example: User name and password are stored in a database table

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { string strConn = "Data Source=rkoq6ngwva.database.windows.net;Initial Catalog=CustomerOrders;Persist Security Info=True;User ID=dchaoDB;Password=dchao_Azure1"; SqlConnection objConn = new SqlConnection(strConn); String strSQL = "select * from users where userID='" + Login1.UserName + "'"; SqlCommand objComm = new SqlCommand(strSQL, objConn); objConn.Open(); SqlDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.Read()) { if (Login1.Password == myReader["Password"].ToString()) FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true); else Response.Write("Invalid password, Access denied"); } else Response.Write("User not exist"); objConn.Close(); }

SignOut Demo• using System.Web.Security;

• A signOut page with a button to SignOut; Then redirect to the home page and trigger the authentication again.

protected void Button1_Click(object sender, EventArgs e) {

FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage(); }

SQL Injection Demo

• On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data.

• 1. Retrieve all records:In the textbox, enter:' OR 1=1 OR CID = '

2. Guess table name or field name:' AND 1=(SELECT COUNT(*) FROM Orders) AND CID='

3. Finding some users:' or cname like 'S%' or cid=‘

Demo protected void Button1_Click(object sender, EventArgs e) { string strConn = "Data Source=rkoq6ngwva.database.windows.net;Initial Catalog=CustomerOrders;Persist Security Info=True;User ID=dchaoDB;Password=dchao_Azure1"; SqlConnection objConn = new SqlConnection(strConn); String strSQL = "select * from customer where cid='" + TextBox1.Text + "'"; SqlCommand objComm = new SqlCommand(strSQL, objConn); objConn.Open(); SqlDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.HasRows) { GridView1.DataSource = myReader; GridView1.DataBind(); } else Response.Write("User not exist"); objConn.Close(); }