ASP.Net Security

The security of an ASP.Net page revolves around two things:

Authentication: The process of determining the identity of the requesting individual is called authentication. The user must provide the site with the credentials, usually the name and password, in order to be authenticated.

Authorization: Once the request is authenticated, it must be determined whether that identity can access the given resource or not. This process is known as authorization.

Types of Authentication

  1. Forms
  2. Windows
  3. Passport

Forms Authentication

First of all make sure web.config file is in the root folder; if not, add it to the root folder. Then add the following to the web.config file.

<authentication mode="Forms">
<forms name="__AUTHCOOKIE" defaultUrl="~/" loginUrl="~/LoginForm.aspx">
<credentials passwordFormat ="Clear">
<user name ="Andrew" password ="and01"/>
<user name ="Sarah" password ="sar01"/>

Now, add a new folder to the site, say, “Secured” and in this folder add a “web.config” file to that folder. Then edit the web.config in the secured folder as follows:

//All Anonymous users and user_not_welcome is denied access
<deny users ="?user_not_welcome"/>
// access to all users except anonymous and user_not_welcome
<allow users="*"/<

Now, no web form in the “Secured” folder is accessible to any anonymous User. If anyone tries to access a page in the Secured folder by typing in the page name in the address bar, he or she will be redirected to a login page to show credentials.

The next step is the implementation of the login page so that user can provide their credentials to access the pages in the Secured folder.

<asp:Label runat="server" ID="lblError" ForeColor="Red" />
User Name: <asp:TextBox ID="txtLogin" runat="server"></asp:TextBox>
Password: <asp:TextBox ID="txtPassword" runat="server"></asp:TextBox>>br /> <asp:Button ID="btnLogin" runat="server" Text="Login" />
<asp:CheckBox ID="chkRememberMe" runat="server" Text="Remember Me" />

Now, add the following code to btnLogin Click event of btnLogin button:

protected void btnLogin_Click(object sender, EventArgs e)
string usn = txtLogin.Text;
string pwd = txtPassword.Text;
// If log/pwd has to verified
if (FormsAuthentication.Authenticate(usn, pwd))
FormsAuthentication.RedirectFromLoginPage(log, chkRememberMe.Checked);
/* FormsAuthentication.SetAuthCookie(log,chkRememberMe.Checked);
string returl = Request.QueryString["ReturnUrl"];
if (returl == null)
//The user has directly come to the login page.
Response.Redirect(returl); */
lblError.Text = "Invalid Login or Password";

Add UserDetails page to Secured folder and add a Logout button to the page. Since this page is in the Secured folder, it is only accssible after providing credentials through the Login page. The task is the implementation of the logout process.

Add Logout LinkButton to UserDetails.aspx.

protected void lbtnLogout_Click(object sender, EventArgs e)
//Adds authorization cookie to the response with an expired date

In the context of what we learned so far, the following three scenarios are possible:

  • If the request from a user includes the cookie for authentication (“__AUTHCOOKIE”), then ASP.NET treats the user as authenticated; otherwise, it is treated as Anonymous.
  • If anonymous users are denied access - based on the entry in web.config file, deny users="?" - and if the request is not authenticated then ASP.Net redirects the users to login page.
  • If a user directly comes to Login Page and provides valid credentials - username and password - then the user is redirected to default url - default.aspx.
  • If an anonymous user tries to visit a secured page, the user is redirected to the login page and the url of the current secured page is appended as query string parameter "ReturnUrl" to the Url of LoginPage.
  • If a user is neither authenticated nor authorized, the individual is redirected to the Login page.

In order to protect the password in web.config file, SHA1 encryption can be used as follows, while adding the following line to web.config file.
<credentials passwordFormat ="SHA1">

Both SHA1 - Secured Hash Algorithm - 160 bit encryption and MD5 - Message Digest -128 bit encryption can be used for encryption.

Windows Authentication

There are two types of Windows authentication, that is implemented using Windows accounts. In fact, it is the IIS - Internet Information Service - that is doing the authentication and then pass on the credentials to ASP.Net.

  1. Basic Authentication
  2. Integrated Windows Authentication.

Basic Authentication:, In Basic authentication, the username and password are submitted as plain text unless HTTPS is used. It works with all the web browsers.

Integrated Authentication: In integrated windows authentication the username and password is encrypted on client and submitted to the server. It works only in Internet Explorer, though.

In the web.config file that resides in the root directory, add the following lines or amend them as follows:

<authentication mode="Windows" />
<deny users="?"/>,br /> </authorization>

Windows Authentication is good only for Intranet application because for every identity supported on the server a login as to be created on the domain of the web server.

Passport Authentication

The Passport authentication provider is implemented by the use of a centralized authentication service, provided by Microsoft that offers a single logon and core profile services for member sites. In fact, passport is a forms-based authentication service. When member sites register with Passport, the Passport service grants a site-specific key. The Passport logon server uses this key to encrypt and decrypt the query strings passed between the member site and the Passport logon server. The website owner must be prepared to pay a fee for Microsoft for this service. As the first step of implementation, the web.config file must be amended as follows:

<authentication mode="Passport" />

Microsoft provides this service by this site.



Recommended Reading

Amazon Best Seller



Amazon Best Seller