لطفا منتظر باشید ...
ASP.NET 2.0: A Developer''''s NotebookBy
Table of Contents
| Index
| Errata
When ASP.NET hit the street a couple of years ago, it was a
real eye-opener. Microsoft''''s tool for creating dynamic,
server side web applications introduced Web Forms, a feature
with the same rapid drag and drop convenience enjoyed by
Visual Basic developers, along with a method for creating
XML-based web services. ASP.NET was more than an upgrade of
Active Server Pages it was a quantum leap ahead.
Now Microsoft has a new version of ASP.NET as part of its
upcoming next generation release of the Visual Studio .NET
development platform. ASP.NET 2.0 is already available in
beta release, and web developers are anxious to get a good
look at it. That''''s exactly what our new Developer''''s Notebook
allows you to do.
More than just an introduction to ASP.NET 2.0, this
practical guide acquaints you with all of the new features
through nearly 50 hands-on projects. Each one places
emphasis on changes in the new release that can increase
productivity, simplify programming tasks, and help you add
functionality to your applications. For example, ASP.NET 2.0
includes master pages, themes, and skins so you can build
applications with a consistent page layout and design. Other
changes allow for the automatic creation of web pages for
use on mobile devices, while wizards and controls allow you
to perform frequent tasks (like data access) without having
to write a single line of code.
ASP.NET 2.0: A Developer''''s Notebook
also includes suggestions for further experimentation, links
to on-line documentation, and practical notes and warnings
from the author regarding changes to the new version.
The new Developer''''s Notebooks series from O''''Reilly offers an
in-depth first look at important new tools for software
developers. Emphasizing example over explanation and
practice over theory, they focus on learning by doing you''''ll
get the goods straight from the masters, in an informal and
code-intensive style. If you want to get up to speed on
ASP.NET 2.0 before its official release, this all lab, no
lecture book will get you there.
5.2. Add Users with WAT
Once you have set up your site toauthenticate users, you need a way to
add user accounts to your site. In ASP.NET 2.0, you can do this by
using the ASP.NET Web Site Administration Tool (WAT). The user
accounts you add will be stored in a SQL Server 2005 Express database
by default (located under the App_Data folder in
your project), as specified by the default Membership Provider. There
is no longer any need for you to create your own custom databases for
this purpose or to store the user account information in
Web.config (which is insecure).Note: The ASP.NET Web Application Administration Tool (WAT) will
help you create new users for your web site and then store the
users' information in the database.
5.2.1. How do I do that?
In this lab, you will use the ASP.NET WAT to add new user accounts toyour web application. The user accounts will be stored in the
database specified by the Membership Provider (see the Section 5.1.2 of Section 5.1). By default, the WAT adds
new users to a SQL 2005 Express database.Open the project created in the last lab
(C:\ASPNET20\chap-5-SecurityControls).To add a new user to your web site, you will use the ASP.NET Web Site
Administration Tool (found in the
Website
ASP.NETConfiguration menu item; see Figure 5-9).
Figure 5-9. Launching the ASP.NET Configuration tool
ASP.NET Configuration icon in Solution Explorer (see Figure 5-10).
Figure 5-10. Invoking the ASP.NET Configuration tool in Solution Explorer
Figure 5-11. The ASP.NET Web Site Configuration Tool
user" link to create a new user account (see Figure 5-12).
Figure 5-12. Creating a new user
account creation.
Figure 5-13. Entering information for a new user
Solution Explorer, select Default.aspx and press
F5. You should see the screen shown in Figure 5-14.
Figure 5-14. The opening page: not logged in yet
page. Enter the account details of the account just created and click
Log In (see Figure 5-15).
Figure 5-15. Logging in
Figure 5-16. User authenticated
5.2.2. What just happened?
When you add a user to your application, the information is saved intwo tables in SQL 2005 Express (located in the
App_Data folder of the project):aspnet_Membershipaspnet_UsersTip: The aspnet_Membership table stores detailed information about a user
(such as password, email, last login date, and more), whereas the
aspnet_Users table stores information such as the name of the web
application to which the user belongs.
Tables Table 5-1 and Table 5-2
show the values that are created in the two tables when I create an
account for myself.
Table 5-1. Content of aspnet_Membership
Field
Value
Table 5-2. Content of aspnet_Users
Field
Value
before it is stored in the Password field of the aspnet_Membership
table (see Sidebar 1-2).
Password Hashing
There are many ways to store a user's password in
the database. The simplest (and most insecure) way is to store
the user's password
in clear text. However, doing so will expose all your
users' passwords in the event that your database is
compromised.A better way would be to encrypt your password (using an encryption
key or, better still, with keyless encryption). The best choice would
be to apply a one-way function to the password so that no key is
needed, reducing the chance that the key would be discovered by a
potential hacker. Hashing is a cryptographic algorithm that takes in
an input and produces a hash output. It does not require a key and,
technically, there is little chance that two different inputs will
produce the same hash value.Therefore, the hashed values of passwords are often stored in the
database. When a user logs in, the given password is hashed and its
value is compared with that of the value stored in the database. If
they are the same, the user is authenticated.One pitfall of hashing is that a potential hacker may use a
dictionary attack. He may generate a list of hash values of commonly
used passwords and then compare them with the hash values stored in
the database. Once a match is found, the attacker would know the
password of a user.To slow attackers down, a random string of values (known as a
salt ) is generated for each user and added to
the password before it is hashed. The hashed value and the salt is
then stored in the database. The advantage of this is that an
attacker will now have to generate a separate list of hash values for
each user (taking into consideration the random salt for each user),
making it more difficult and time-consuming to get the exact
password. Also, using a salted hash, two users having the same
password will now have two different hash values, since a random salt
is generated for each user.
5.2.3. What about...
...finding out whether a page is being viewedby an authenticated user?You determine if a page is being viewed by an authenticated user by
using the GetUser( ) method from the Membership class. Take the example
of the Default.aspx page. You might want to
display some customized welcome messages once a user has logged in
successfully. You can do that by calling the GetUser( ) method in the
Form_Load event-handling code. If the user viewing the page is not
logged in, the GetUser( ) method will return null.
The following code checks to see if an authenticated user is viewing
the page, and if that's the case, it prints out the
current time.
Protected Sub Page_Load(ByVal sender As Object, _...preventing a potential hacker from trying
ByVal e As System.EventArgs) _
Handles Me.Load
If Membership.GetUser IsNot Nothing Then
Response.Write("Time is " & Now)
End If
End Sub
too many times to guess a user's
password?You can limit the number of unsuccessful attempts by setting the
passwordAttemptThreshold and
passwordAttemptWindow
attributes of the Membership Provider in the
Web.config file, as shown in Example 5-1.
Example 5-1. Limiting password attempts
...Tip: The LocalSqlServer connection string points to the SQL Server 2005
<membership defaultProvider="SqlProvider"
userIsOnlineTimeWindow="20">
<providers>
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="LocalSqlServer"
requiresQuestionAndAnswer="true"
passwordAttemptThreshold="5"
passwordAttemptWindow="30"
applicationName="MyApplication" />
</providers>
</membership>
Express database in your project. It is defined in the
machine.config.comments file.
The code in Example 5-1 limits a user to five
password attempts within 30 minutes. If the user exceeds those
numbers, her account will be locked.
5.2.4. Where can I learn more?
To learn more about how to use salted hashes in your own .NETapplications, check out this MSDN article: http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/.For more information on the passwordAttemptThreshold and
passwordAttemptWindow attributes, check out the MSDN Help topics on
"Membership.passwordAttemptThreshold
property" and
"Membership.passwordAttemptWindow
property."
