More tips from Jeff Prosise

More security tips from the Web Perspective Pre-con:

• Use caution when using persistent auth cookies in Forms Authentication. The default cookie lifetime is 50 years, which can make it more likely that a cookie could be hijacked and used in a replay attack. Better course is to modify the cookie to have a shorter lifespan and do your own redirection (rather than using FormsAuthentication.RedirectFromLoginPage).
• You can use the Application_OnAuthenticateRequest event (in Global.asax) to hook in code that you want to run with every login in your application. This can be useful in assigning roles to users at runtime so that you can use role-based authentication in your web.config file.
• Jeff's also taking an interesting approach to demoing security by demoing some common hacks, then demoing how to prevent them. An important distinction...there are two basic types of hacks...system level, which are the ones like the RPC bug that Blaster exploited, and application level, which are because of vulnerabilities in our own code. The former we fix by keeping our Web servers up to date. The latter are our responsibility, and they're equally (if not more) important. The two biggies are Cross-site Scripting (XSS) and SQL Injection. XSS attacks, in which an attacker enters script in a text entry field in hopes that your application will display it unfiltered elsewhere, causing it to be executed. ASP.NET v1.1 helps fix these XSS attacks by throwing an exception any time script input (or script-like input) is found in the Request object's input collections. Ideally, you should call Server.HtmlEncode on any input to further prevent XSS attacks. SQL Injection attacks are most common when you create queries by concatenating fields entered by a user into a SQL query string. Best practice is to *never* use this kind of dynamic SQL query. Either use parameters to build your SQL queries, or use stored procedures to avoid SQL Injection attacks.