Safe Mode for ASP.NET

Safe Mode of AS PN ET

Depending on the type of resource being requested, IIS may or may not handle the request itself

If the resource requests an ASP page, IIS passes the request to ASP.NET along with the authenticated user's (or anonymous user's) security token, and what happens next depends on the ASP.NET configuration

4 authorization methods supported by ASP.NET:

Windows: IIS authentication, useful in intranet environments

.Passport: Microsoft centralized authentication, one login can access all member sites, requires a fee
Form: form authentication, verify account/password, the best and most popular verification method for Web programming

None: Indicates that ASP.N ET itself does not perform authentication at all, relying entirely on IS authentication

Authentication and Authorization:

Authentication is the process of determining the identity of a user. After the user is authenticated, the developer can determine whether the user is authorized to proceed. Authorization of an entity is not possible without authentication

Authorization is the determination of whether an authenticated user has access to a certain part, a point in an application, or only to a specific set of data provided by the application

Authorization process:

The main properties of forms:

name: This is the name given to the cookie, which is used to save the user between requests. The default value is .ASPXAUTH

loginUrl: Specifies the URL to redirect the request to if no valid authentication cookie is found

protection: Specifies the level of protection to be applied to the authentication cookie, it has 4 settings
                  All: The application uses data validation and encryption mechanisms to protect the cookie. This is the default setting.
                  None: Do not encrypt cookies.
                  Encryption: Encrypts the cookie, but does not perform data validation on it.

                  Validation: Validate data without encrypting cookies

path: Specifies the path where the application stores the cookie. Apply / in most cases, it is the default

timeout: specifies the time (minutes) for the cookie to expire, the default value is 30 minutes

cookieless: specifies whether the form-based authentication process uses cookies during the authentication and authorization process

defaultUrl: specifies the default URL

domain: Specifies the domain name to send with forms authentication

Encrypt the password:

Clear: The password is stored as clear text. The user's password is compared directly to this value.

MD5: Passwords are stored using a hash digest. Hash using the MD5 algorithm, and compare this value for equality. This algorithm performs better than SHA1.

SHA1: Passwords are stored using a SHA1 hash digest. When verifying the certificate, the user password is hashed using the SHA1 algorithm and compared for equality with this value. This algorithm is the most secure

<authorization>Configure to authorize users

The <authorization> configuration section is used to authorize users. In the process of user authorization, the following two application rules should be followed:

One is that rules contained in configuration files located at lower directory levels take precedence over rules located at higher directory levels

Second, for a combined set of rules for a given URL, the system starts at the head of the list and checks the rules until the first match is found

<authorization>配置:

deny block access user

allow allows access to the user

? on behalf of anonymous users

*represents any user

Separate multiple users with ","

A small example:

<authorization>Configure the user authorization code block:

        <!--
            Configurable via the <authentication> section
            Secure Authentication Mode, ASP.NET
            Use this pattern to identify visiting users.
        -->
        <!--<authentication mode="Windows" />-->
      <authentication mode="Forms" >
        <forms loginUrl="logde.aspx" defaultUrl="Default.aspx">

          <credentials passwordFormat="Clear">
            <user name="admin" password="admin"/>
            
            <user name="user" password="123456"/>
          </credentials>
        </forms>
      </authentication>

Login page code block:

    <form id="form1" runat="server">
    <div>
        <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
        <br />
        <asp:TextBox ID="TextBox2" runat="server"></asp:TextBox>
        <br />
        <asp:Button ID="Button1" runat="server" Text="登录" onclick="Button1_Click" />
    </div>
    </form>

Login page background code block:

        protected void Button1_Click(object sender, EventArgs e)
        {
            string name = TextBox1.Text;
            string password = TextBox2.Text;
           
            //if (name == "admia" && psw == "admia")
            //{
            //    FormsAuthentication.RedirectFromLoginPage(name, false);
            //} //Users with account admin and password admin can log in
            if (FormsAuthentication.Authenticate(name,password))
            {
                
                //Response.Write(FormsAuthentication.HashPasswordForStoringInConfigFile("admin","MD5"));//Output MD5 password encrypted password
                FormsAuthentication.RedirectFromLoginPage(name, false);
            }
        }

Home code block:

    <form id="form1" runat="server">
    <div>
    front page
    </div>
    </form>

Default page code block:

    <form id="form1" runat="server">
    <div>
    Default interface
    </div>
    </form>

Admin page code block:

    <form id="form1" runat="server">
    <div>
     admin page
    </div>
    </form>