In this post (which is the 100th one in the life of the blog), we’ll review three important security-related settings that you can define in your application’s web.config file, namely: authentication, authorization and impersonation. You’ll find a very thorough article about the topic here.
First a little terminology: authentication is the process of identifying, authorization is of checking rights. A common example: when you check-in to a plane, you show your ID, passport, etc. to identify yourself. Then you show your ticket for the given plane, to show that you are authorized to be there. It’s that simple. And impersonation is the process of taking someone else’s personality, which is a bad, bad thing. So long for terminology.
There are some a few authentication types in ASP.NET. Windows authentication uses the Kerberos protocol (or NTLM) to identify itself. Let’s consider it using with and without impersonation. You’d use Windows authentication with impersonation when:
There are four types of authentication in ASP.NET:
- Windows authentication
- Forms authentication (used by the membership API)
- Passport authentication (mostly obsolete, consider Windows Live instead)
- Anonymous access
Forms Authentication is a token-based auth method. After login, the user gets an encrypted cookie with the login information. This token can also be stored in the query string, but more of it later. The process is simple:
- The client makes a request.
- IIS (if configured properly for Forms Authentication) passes the request to ASP.NET.
- ASP.NET checks for an authentication cookie (or info). If found it, proceeds to step 7.
- Redirects the user to the login page (default Login.aspx in machine.config).
- User enters credentials, ASP.NET authenticated. If authentication fails, access will be denied.
- If authentication succeeds, a cookie will be attached.
- ASP.NET tests the authorization settings and the current user.
- If fails, access will be denied, else access granted.
Pros to use Forms Authentication:
- Full control over the authentication code, via Membership API.
I'm a software developer professionalizing in the .NET platform and iOs development. Here you can find my notes for Microsoft certifications.
Everyone who seeks, finds
- .NET (35)
- .NET 70-536 (35)
- Configuration, Diagnostic, Management and Installation Features (6)
- Globalization, Drawing and Text Manipulation (2)
- Improving the Security of a .NET Framework Application (5)
- Interoperability, Reflection and Mailing Functionality (3)
- Serialization and IO Functionality (7)
- Service Processes, Threading and Application Domains (2)
- System Types and Collections (6)
- .NET 70-536 (35)
- ADO.NET (24)
- ASP.NET (68)
- Application Architecture (1)
- ASP.NET 70-562 (44)
- PRO ASP.NET 70-564 (20)
- Design Patterns (10)
- Objective-C (4)
- Personal (4)
- Silverlight (6)
- SQL Server (43)
- 70-433 (27)
- 70-451 (16)
- WCF (8)
- Windows Azure (8)
- WPF (20)