ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources
I usually try and spend at least an hour or two each night hanging out on the ASP.NET Forums answering questions. The last week or so I’ve been spending a lot of time in the Security Forum answering a lot of “how to” questions about some of the new features in ASP.NET 2.0 (in particular the new ASP.NET 2.0 Membership, Role Management and Login Controls) and pointing people at resources and samples around the web about them. What I thought I’d try and do with this post is consolidate a lot of pointers to different ASP.NET 2.0 security resources in one place.
Getting Started with ASP.NET 2.0 Membership, Roles and Forms Authentication Video
If you haven’t watched this great online video yet you absolutely should. It walks through how to add Forms Authentication (using the <asp:login> control) with a secure Membership Credential Store + Role Based Security to a site, then implement pages that enable Registration (using the <asp:createuserwizard> control) + Change Password (using the <asp:changepassword> control) + Reset Password (using the <asp:recoverypassword> control), and then authorize page access and hide menu navigation links using the role groupings of the authenticated user. The video shows how to-do all of this from scratch in only 17 minutes. You can watch it here. You can also find other great ASP.NET “how to” videos here.
ASP.NET 2.0 Membership and Role Management Overview Articles
Here are a few good tutorial articles that provide a good conceptual overview of how the new membership and role management system works.
Scott Mitchell’s: Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 1)
Scott Mitchell’s: Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 2)
Scott Mitchell's: Examining ASP.NET 2.0's Membership, Roles and Profile (Part 3)
Scott Mitchell's: Examining ASP.NET 2.0's Membership, Roles and Profile (Part 4)
MSDN: Explained: Forms Authentication in ASP.NET 2.0
MSDN: Explained: Windows Authentication in ASP.NET 2.0
Scott Allen’s: Membership Providers (Part 1)
Scott Allen’s: Role Providers (Part 2)
ASP.NET 2.0 Security, Membership and Role Management Book
Stefan Schackow is the ASP.NET Team technical expert and feature-owner for a lot of the core sub-systems in ASP.NET, and he owned the security, membership and role management features for ASP.NET 2.0. He has recently published an awesome book on ASP.NET Security, Membership and Roles that you can buy for $26 on Amazon here.
You can read two big recommendations of it from ASP.NET MVPs here: Dave Sussman and Christoph Wille I highly recommend getting a copy.
Setting up Membership + Roles on a SQL 2000 or SQL 2005 Server
By default ASP.NET 2.0 auto-creates and uses a SQL Express database to store Membership, Roles and Profile data. If you want to instead use a SQL 2000 or SQL 2005 database, you can easily learn how to configure it using this blog post of mine.
Don't forget to always set the "applicationName" attribute when configuring ASP.NET Membership, Roles, Profile and other providers.
One common issue people forget to-do when registering membership and other providers is to configure the "applicationName" attribute on the provider declaration. This can prevent logins from seeming to work when you copy an application to another machine. This blog post covers this scenario more and how to fix it.
Custom Membership and Roles Providers
ASP.NET 2.0 ships with built-in SQL Server, SQL Express and Active Directory Membership and Role Providers. The source code for these built-in providers can now be downloaded from here.
The nice thing about the system is that it is entirely extensible, which means you can create and configure your own custom credential/role stores into the system as well (either using the source code from the built-in providers, or just by extending the provider contract).
The ASP.NET Provider Toolkit Site provides tons of content on how to create and build your own providers (including Membership and Role Providers). It also has a link to a fully functional Membership and Role Provider that works with Access databases. This article also discusses how to build your own Membership Provider, and can be a useful guide to integrating the membership APIs with your own existing database.
Here is a list of other free custom Membership and Roles providers (with complete source code) that I know of on the web:
-
Oracle Support for ASP.NET Membership, Roles and Personalization (note: this is included in the PetShop sample)
Storing Custom Properties about a User during Registration
One very common question I see asked a lot is how to store custom properties about a new user as they register on the system (example: zip code, gender, etc). The good news is that it is easy to-do this with the new ASP.NET Profile System and the built-in <asp:createuserwizard> control.
I have a sample here that shows how to build a registration system for a site with Membership, Login, Registration, Password Recovery, Change Password, Custom Properties and Roles support – all in 24 lines of code. If you want, you can combine this with the new SQLTableProvider for the Profile system for greater control over your profile database schema. You can learn about that in my blog post here.
Remote Server Administration Tool Mangement of Membership/Roles
The built-in Web Administration Tool with Visual Web Developer and VS 2005 makes it easy to manage the users and roles for a local ASP.NET application. One common question I get asked is how to manage these users/roles against a remote server (for example: an application running on a remote hoster. This blog post of mine points to two different solutions you can use to enable this.
How to Share Forms-Authentication Between ASP.NET V1.1 and ASP.NET V2.0 Apps
One common question I’ve seen is whether it is possible to share membership and forms-authentication across multiple applications. The good news is that this is definitely possible. Even better, it is possible to-do this across V1.1 and V2.0 applications. This blog post of mine discusses how to-do this.
How to encrypt connection strings and web.config file settings
ASP.NET 2.0 now allows you to encrypt all configuration settings within the web.config file. This article walksthrough how to easily do this to secure private data and configuration.
Forms Authentication Timeout Change
One change between ASP.NET V1.1 and V2.0 was the default timeout value of forms-auth cookies that are issued. By default out of the box, ASP.NET 2.0 will time-out authentication cookies after 30 minutes of inactivity by the browser user (requiring the user to login on the next visit to the site). You can learn more about this, and how to change the timeout to your preferred duration setting in my blog post here.
Great ASP.NET Security Blog
Dominick maintains a great Security blog at: http://www.leastprivilege.com that I'd recommend subscribing to. He continually posts good information on building more secure apps and on how to take advantage of ASP.NET features.
Building Secure ASP.NET Applications Guide
The Microsoft PAG (Prescriptive Architecture Guidance) Team has published a great book online about ASP.NET Security Best Practices. It is focused on ASP.NET V1.0 – but the core concepts still apply. You can read it here. You can also then find some good tutoral scenarios here.
ASP.NET 2.0 Security How-To Listing
MSDN has a priceless set of ASP.NET Security How-To Articles now published. Below is a listing with links to some of them:
ASP.NET 2.0
· How To: Configure the Machine Key in ASP.NET 2.0
· How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
· How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
· How To: Create a Service Account for an ASP.NET 2.0 Application
· How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
· How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
· How To: Instrument ASP.NET 2.0 Applications for Security
· How To: Improve Security When Hosting Multiple Applications in ASP.NET 2.0
· How To: Perform a Security Deployment Review for ASP.NET 2.0
· How To: Prevent Cross-Site Scripting in ASP.NET
· How To: Protect Forms Authentication in ASP.NET 2.0
· How To: Protect From Injection Attacks in ASP.NET
· How To: Protect From SQL Injection in ASP.NET
· How To: Use ADAM for Roles in ASP.NET 2.0
· How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
· How To: Use Code Access Security in ASP.NET 2.0
· How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
· How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
· How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
· How To: Use Health Monitoring in ASP.NET 2.0
· How To: Use Impersonation and Delegation in ASP.NET 2.0
· How To: Use Medium Trust in ASP.NET 2.0
· How To: Use Membership in ASP.NET 2.0
· How To: Use the Network Service Account to Access Resources in ASP.NET
· How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
· How To: Use Regular Expressions to Constrain Input in ASP.NET
· How To: Use Role Manager in ASP.NET 2.0
· How To: Use Windows Authentication in ASP.NET 2.0
Authentication and Authorization
· How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
· How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
· How To: Create GenericPrincipal Objects with Forms Authentication
· How To: Protect Forms Authentication in ASP.NET 2.0
· How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
· How To: Use Forms Authentication with Active Directory
· How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
· How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0
· How To: Use Forms Authentication with SQL Server 2000
· How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
· How To: Use Windows Authentication in ASP.NET 2.0
Code Access Security
· How To: Create a Custom Encryption Permission
· How To: Use Code Access Security in ASP.NET 2.0
· How To: Use Code Access Security Policy to Constrain an Assembly
Code Review
· How To: Perform a Security Code Review for Managed Code (Baseline Activity)
Communications Security
· How To: Call a Web Service Using Client Certificates from ASP.NET
· How To: Call a Web Service Using SSL
· How To: Set Up SSL on a Web Server
· How To: Set Up Client Certificates
· How To: Use IPSec for Filtering Ports and Authentication
· How To: Use IPSec to Provide Secure Communication Between Two Servers
· How To: Use SSL to Secure Communication with SQL Server 2000
Configuration
· How To: Create a Custom Account To Run ASP.NET
· How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
· How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
Cryptography
· How To: Create a DPAPI Library
· How To: Create an Encryption Library
· How To: Store an Encrypted Connection String in the Registry
· How To: Use DPAPI (Machine Store) from ASP.NET
· How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
Deployment Review
· How To: Perform a Security Deployment Review for ASP.NET 2.0
Impersonation and Delegation
· How To: Implement Kerberos Delegation for Windows 2000
· How To: Use Impersonation and Delegation in ASP.NET 2.0
Input and Data Validation
· How To: Prevent Cross-Site Scripting in ASP.NET
· How To: Protect From Injection Attacks in ASP.NET
· How To: Protect From SQL Injection in ASP.NET
· How To: Use Regular Expressions to Constrain Input in ASP.NET
Patching and Updating
· How To: Implement Patch Management
SQL Server 2000
· How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0
· How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
· How To: Protect From SQL Injection in ASP.NET
· How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
· How To: Use SSL to Secure Communication with SQL Server 2000
Threat Modeling
· How To: Create a Threat Model for a Web Application at Design Time