08 authentication
TRANSCRIPT
Authentication in ASP.NET MVC Best practices for user and group management
Topics � The membership and role provider model � Authorizing action methods � Best practices
The provider model � ASP.NET has a robust and simple way to
handling authentication; The membership and role provider model
� Configured in web.config (ASP.NET Configuration Tool)
� It is highly extensible! Can customize it via some programming
� Much more secure than home-grown ways � Uses good design patterns � Abstracts away most user functions
Coding with the Provider Model � All features are simple ... MembershipCreateStatus status; Membership.CreateUser(
"dschrute", //username "recyclops", //password "[email protected]", //email "Which color is most dominant?", //passwd reminder question "black", //response true, //is approved? out status
); if (status != MembershipCreateStatus.Success)
throw new Exception("Fail!"); � Other features are similarly easy � Best feature, though is ... � No programming necessary!
To Authenticate a user FormsAuthenticate.SetAuthCookie("ferb", false);!
Who am I? User.Identity.Name;!
But I have another authentication method in place. I need to use it! � No problem. Just create your own class
that inherits from MembershipProvider and override the parts you need.
Overriding authentication methods
class MyMembershipProvider : MembershipProvider!{! public override MembershipUser GetUser(string username, ! bool userIsOnline)! {! var a = ExistingMethod.GetUserByUserName(username);! return new MyMembershipUser(a.Id, a.Email);! }!! public override bool ValidateUser(string username, ! string password)! {! return Existing.Valid(username, password); ! }!}!
To use your own groups/roles methods, override RoleProvider public class AccountRoleProvider : RoleProvider!{! public override void AddUsersToRoles(string[] usernames,! string[] roleNames)! {! //Use your existing system to add users to groups;! }! public override string[] GetRolesForUser(string id)! {! return ExistingWay(id);! }! public override bool RoleExists(string roleName)! {! return ExistingDoesRoleExist(roleName);! }!}!
One last step; we need to register our providers in web.config <system.web>! <membership defaultProvider="AccountMembershipProvider">! <providers>! <clear/>! <add name="AccountMembershipProvider"! type="MyProj.AccountMembershipProvider" />! </providers>! </membership>! ! <roleManager enabled="true"! defaultProvider="AccountRoleProvider">! <providers>! <clear/>! <add name="AccountRoleProvider"! type="MyProj.AccountRoleProvider" />! </providers>! </roleManager>!...!</system.web>!
Best practices � Avoid canned questions � When resetting the password, never email it � Don't allow the website to "Remember me" � Turn autocomplete off so the username
and/or password can't be pulled from the browser cache
� Use strong passwords
Allow the user to set his own password reset question.
� Never force from a small list � Too easy to research
� High school mascot � Mother's maiden name � Pet's name � Birth city
� Too easy to guess � Favorite color
Remember me is convenient but it opens security holes
� Worst option is to save username and password in a cookie
� If you must remember me, do it like Microsoft's provider does and store it in a persistent authentication cookie
Turn browser caching off
� Guessing a username is half the battle � If the form helps the user to fill a username
he has a major leg up � And if we do that for a password, that
would be horrible � Turn remembering off like this: <form id="f1" autocomplete="off">
Sometimes Often Usually our efforts to increase security actually decrease it
Password rules are enforced on backend
� Set in web.config in membership - providers:
<add name="AspNetSqlMembershipProvider" type="..."
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" passwordStrengthRegularExpression="" />
Summary � Good authentication practices go a long
way toward establishing security � Use a role provider based on Microsoft's � Use Microsoft's built-in controls � Enforce strong passwords, but don't go
crazy