Authentication & Authorization in ASP.Net

Authentication & Authorization in ASP.Net

This is a new security concept provided with asp.net.When client request comes to the web server, then web server will attach one user account for the anonymous user, based on which resources will be accessible. This is called as impersonation.

By default IUSR_MACHINENAME is the account attached to the anonymous user.

When you want to implement current security for the web application, then we require authentication and authorization.

Authentication, is nothing but the process of getting identity or credential of the user (means username and password)

Authorization is the process of giving access or denying access to a particular resource based on identity of the user.

Asp.net supports three types of authentication.

1.                       Windows based authentication

2.                       Form based authentication

3.                       Passport based authentication

Windows based authentication

This can be used only to the private website related to the organization i.e. intranet implementation.

This will perform authentication based on windows operating system.

(That is network label login or role)

Form based authentication

This will perform authentication based on users information maintained within database server. This is required for the commercial websites.

When client provides proper authentication information, asp.net runtime will respond with redirecting to requested page along with writing a cookie to the client machine.

This cookie will contain security token, so that subsequent request will be processed without authentication.

Redirectfromloginpage () will provide the user with the requested web page, based on the second parameter, cookie will be created with security token in the form of Inmemory cookie or persistent cookie. If it is Inmemory cookie the authentication is not required only for one browser window. If it is persistent cookie all the browser window from the system does not require authentication. The name of the cookie by default is aspxauth.

Providing name attribute within forms tag the cookie name can be changed.

The lifetime with the cookies by default is 30 minutes.

Passport authentication

When you want to perform common authentication for collection of website, then we require passport authentication. In this client will be authenticated only once and access is given to different websites. This is called as single sign on service 

The main disadvantage is that, the company’s client details will be mainted by Microsoft database.