How to implement Security in ASP.NET Web Application
Security is a very important area of configuration for ASP.NET. The tags provided in this section enable you to configure several aspects of ASP.NET security including encryption and authentication. When planning any application, you should always keep security in mind and make sure that all aspects of your application are as secure as possible. These tags, when configured properly, can assist in reaching the goal of a secure application.
Authenticating Users Using the <authentication> Tag Authentication refers to the portion of ASP.NET, which verifies that the users accessing your application are indeed who they say they are. This should be used to verify the identity of your users for security reasons as well as personalization of the application. The mode attribute specifies the type of authentication to use.
Mode Attributes Options:
Windows: It specifies the Windows/IIS authentication mode. Forms: It specifies an ASP.NET forms-based authentication mode. Passport: It specifies the use of Microsoft Passport authentication mode. None: No authentication specified. This should only be used for anonymous access-based applications or applications designed with their own authentication scheme.
The tag also supports two subtags, <forms> and <passport>. The <forms> tag is used to specify configuration information for using ASP.NET’s forms-based authentication mode.
Forms Subtag Attributes:
name: It enables you to specify a cookie name to use for authentication. In ASP.NET defaults to.ASPXAUTH.
login Url: If the specified cookie is not found, the user will be redirected to the URL specified
in this attribute to log in. ASP.NET defaults to default.aspx.
protection: The All option specifies that the application uses both validation and encryption to protect the authentication cookie. This is the default value. The None option specifies that neither validation nor encryption is used, and therefore the cookie is not secure. This should only be used when there are no security requirements and the authentication features are only being used for personalization.
timeout: It enables you to specify a maximum length of time for the authentication cookie to
remain valid. This value is in seconds and the default is 30.
path: It enables you to specify a specific path for storing cookies used by your application.
The default path is /.