Computer Internet network security News

1. A client generates a request for a protected resource.
2. IIS receives the request, and if the requestor is authenticated by IIS, or if IIS Anonymous Access is enabled, the request gets passed on to the ASP.NET application. Because the authentication mode in the ASP.NET application is set to forms, IIS authentication is not used.
3. After a ticket is issued by the application, ASP.NET just checks the ticket for validity using a message authentication check. Applications do not need the credentials in the *.config files. In fact, ASP.NET does not check them after the cookie is issued, even if they are present. If the user is authorized, access is granted to the protected resource; or the application might require an additional test of the credentials before authorizing access to the protected resource, depending in the design of the application.
4. If there is no cookie attached to the request, ASP.NET redirects the request to a logon page, the path of which resides in the application’s configuration file. On the logon page, the client user enters the required credentials ( usually a name and password ).
5. The application code checks the credentials to confirm their authenticity, usually in an event handler. If the credentials are authenticated, the application code attaches a forms ticket containing the username, but not the password. An application could include the password, but ASP.NET treats it like one opaque username string. If authentication fails, the request is usually returned with an Access Denied message or the logon form is presented again.
6. If the user is authenticated, ASP.NET checks authorization, as in step 3, and can either allow access to the originally requested, protected resource or redirect the request to some other page, depending on the design of the application. It can also direct the request to some custom form of authorization where the credentials are tested for authorization to the protected resource. If authorization fails, ASP.NET always redirects to the logon page.

Tags: forms asp.net, forms, authentication, asp.net

Computer security ASP.NET security application_code, ASP.NET security, ASP.NET-security, check_applications, code_checks, configuration_file, config_files, credentials, message_authentication