safety verification
1. Safe Mode of ASP.NET
1. The necessity of safety:
(1) Constructing a special link address, resulting in data leakage in the file.
(2) Database leakage.
(3) The primary strategy for security prevention: All HTTP access must go through IIS, so restricting the security of IIS is the key.
2. The concept of security mode : Depending on the type of resource requested, IIS can process the request itself or not. If the resource requests an ASPX page, IIS passes the request to ASP.NET along with the authenticated user's (or anonymous user's) security token. What happens next depends on the configuration of ASP.NET.
3. 4 authorization methods supported by ASP.NET:
(1) Windows: IIs authentication, very useful in an intranet environment.
(2) Passport: Microsoft centralized authentication, one login can access all member sites, charges are required.
(3) Form: Form verification, verification of account and password, the best and most popular verification method for Web programming.
(4) None: Indicates that ASP.NET itself does not perform authentication at all and relies entirely on IIS authentication.
4. Authentication and authorization mechanism:
5. Form-based identity authorization mode
6. The main attributes of the <forms> element
from verification example:
First add the following code to web.config:
<!-- Configurable via the <authentication> section Secure Authentication Mode, ASP.NET Use this pattern to identify visiting users. --> <!--<authentication mode="Windows" />--> <authentication mode="Forms"> <forms loginUrl="login.aspx" defaultUrl="index.aspx"> <credentials passwordFormat="Clear"> <user name="admin" password="admin"/> </credentials> </forms> </authentication> <authorization> <deny users="?"/> </authorization> <!-- If an unhandled error occurs during the execution of the request, then pass the <customErrors> section The corresponding processing steps can be configured. in particular, Developers can configure the html error page to display through this section, in place of the error stack trace. <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> <error statusCode="404" redirect="FileNotFound.htm" /> </customErrors> -->
Create three pages are index.aspx, useraspx, login.aspx
The login page layout is as follows:
Add an event to the button as follows:
protected void Button1_Click(object sender, EventArgs e) { string name = TextBox1.Text; string pwd = TextBox2.Text; if (FormsAuthentication.Authenticate(name,pwd)) { FormsAuthentication.RedirectFromLoginPage(name,false); // Response.Write(FormsAuthentication.HashPasswordForStoringInConfigFile(pwd,"MD5")); } if (name == "admin" && pwd == "123456") { FormsAuthentication.RedirectFromLoginPage(name, false); } else if (name == "user" && pwd == "123456") { Response.Redirect("user.aspx"); } }
The following is the running result:
Will jump to the index.aspx page
Entering another account password will jump to the user.aspx page
To encrypt the password, you can modify the following code:
protected void Button1_Click(object sender, EventArgs e) { string name = TextBox1.Text; string pwd = TextBox2.Text; if (FormsAuthentication.Authenticate(name,pwd)) { //FormsAuthentication.RedirectFromLoginPage(name, false); Response.Write(FormsAuthentication.HashPasswordForStoringInConfigFile(pwd,"MD5")); } //if (name == "admin" && pwd == "123456") //{ // FormsAuthentication.RedirectFromLoginPage(name, false); //} //else if (name == "user" && pwd == "123456") //{ // Response.Redirect("user.aspx"); //} }
The results are as follows:
There are three ways to encrypt passwords:
Form verification summary: