D
David Kyle
Hello Guys (and Girls),
I've developed a few web applications now all using a SQL Server database
for a backend. Up until now I have tried multiple approaches to
Authorization and Authentication but this time I decided that I would use
industry standards inside of .NET.
There's a tremendous amount of information out there with regards to this.
After sifting though it all I believe I would like to use Forms
Authentication and .NET roles Authorization but I have a few questions with
regards to the security.
One, I've encountered a number of examples where they hold the role
information for each authenticated user in the
AuthenticationTicket.UserData. How secure is this? I would be worried that
the user could edit the contents of the cookie (if they knew the encryption
key) and grant them self's more access to areas they shouldn't be allowed
access to? Would it not be more secure to hold this information in the
Session Object? This would also apply to their LoginID.
Basically I guess I'm wondering how hard is it for them to break the
encryption that the AuthenticationTicket undergoes.
Also, what is the standard way to limit any access to an aspx page based on
a roll?
Finally how can I limit access to a file like a .pdf file though a .NET
role?
Any help on any of these topics would be greatly appreciated. Thanks in
advance.
Cheers!
David Kyle
Web Developer
www.chloemag.com
(e-mail address removed)
I've developed a few web applications now all using a SQL Server database
for a backend. Up until now I have tried multiple approaches to
Authorization and Authentication but this time I decided that I would use
industry standards inside of .NET.
There's a tremendous amount of information out there with regards to this.
After sifting though it all I believe I would like to use Forms
Authentication and .NET roles Authorization but I have a few questions with
regards to the security.
One, I've encountered a number of examples where they hold the role
information for each authenticated user in the
AuthenticationTicket.UserData. How secure is this? I would be worried that
the user could edit the contents of the cookie (if they knew the encryption
key) and grant them self's more access to areas they shouldn't be allowed
access to? Would it not be more secure to hold this information in the
Session Object? This would also apply to their LoginID.
Basically I guess I'm wondering how hard is it for them to break the
encryption that the AuthenticationTicket undergoes.
Also, what is the standard way to limit any access to an aspx page based on
a roll?
Finally how can I limit access to a file like a .pdf file though a .NET
role?
Any help on any of these topics would be greatly appreciated. Thanks in
advance.
Cheers!
David Kyle
Web Developer
www.chloemag.com
(e-mail address removed)