Introduction

This article shows you how security works in ASP.NET as well as the different ways of doing it; there is no code just a whole bunch of flow charts.

Traditional Security on the web

The usually when a user requests a page IIS does this -

This kind of security is ok for most people. However, to set up individual permissions you have to add new Windows accounts and that takes time to do.

People who want to provide their own user-level security use a database and the following layout:

But this layout has to be on every page that you want security, sure you could use a server side include, but isn't it much easier to have it done automatically for you?

ASP.NET's web.config allows for all of this. You can use Windows, Forms or Passport authentication. Not only can it automatically set cookies and automatically redirect users, it also can store credentials and have role based security.

Windows Security

The windows security is much like IIS's Integrated Windows Security.

Forms Based Security

This method redirects to a form to login and set the cookies, it works much like the Windows Based Security.

Passport

Passport also is included in the ASP.NET package. It does require you to have a business account with passport to use.

However, all of this relies on Passport.com's response and responses can be faked.

So far you've only seen what happens when a user tried to access a page, but how does the logon process actually work?

Windows Based

Windows based security is the simplest because most of it is based on Window's response (all done on the same server or domain).

Forms based Security

This is a bit more complicated and there are two ways of doing it -

1) Without credentials in web.config

This is also simple but FormsAuthenticate (the object that handles form based security) does nothing but wait for information regarding what to do.

2) With credentials in web.config

You can clearly see that this does not rely on the developer to perform the authentication, the developer just sends the information to FormsAuthenticate and it handle's the rest (apart from when it comes back to the page, then they have to redirect or something).

Passport

Passport authentication is massively different to both of the above methods because it does a lot of switching between servers. There are two different ways the user can be authenticated -

1) Without Windows XP

Again, it relies on passport's response. Also, the cookies allow the user to any part of the passport network and the cookies assign information such as timeout, u/p and timestamps all generated by the defaults at passport.com

2) With Windows XP (running IE6)

The details for this way are sent through something called "passport authentication" that works differently to normal detail submission. There is however no details on the specifics of how it works and it seems to have an inconsistent authentication behavior. The cookies are also a bit different.

Impersonation

Impersonation lets ASP.NET restrict access to pages based on that user's identity. Normally ASP.NET takes the identity of the local machine which means that it has complete access to all files and folders. When impersonation is enabled, ASP.NET takes on the role that IIS assigns it. When ASP.NET is impersonating a user, Windows can restrict access to the application. Lets say that you have an ASP.NET application that acts like a file browser for the system, by default the user can see and do anything because ASP.NET has access, with impersonation ASP.NET only has access to pages that they would normally have (if logged in at the workstation), so anonymous users have very limited access.

That should give you a better look at what it's doing.

Summary

This article showed you the new ways that ASP.NET allows you to authenticate your users. I didn't go through authorization because that's basically the same as checking for access to a particular resource and getting a yes or no answer. For other articles on ASP.NET and Security see the Related Articles section.