Authentication and Authorization are two main security processes used in various applications. Although they are often confused by some users, they possess major differences between each other.

Authentication

Authentication is a process of confirming the user’s identity in order to grant this user access to protected resources. Usually, the user needs to enter a username and password. These two, however, are not the only possible authentication credentials, as e-mail, security question, tokens and so on can also be required in the process. Depending on the complexity of the process, authentication can be classified into three main types:

  • Single-Factor Authentication: the simplest process and the process users meet most often. The system requires only a successful match between a username (sometimes e-mail) and a password to grant the access;
  • Two-Factor Authentication: in addition to the process in the single factor one, during the two-factor authentication the user needs to enter some additional data (such as an answer to a question about confidential information);
  • Multi-Factor Authentication: this is the most complex process requiring at least two independent levels of authorization.

It depends on the type of protected data when it comes to choosing what type of authentication should be implemented. While the single-factor authentication is suitable for many websites, the multi-factor authentication must be implemented on systems containing financial, military, people’s personal, product development, or any other critical data.

Authorization

Authorization occurs after a user is authenticated. It is about giving users specific and different types of access to different protected resources based on the settings and policies for users’ accounts. It is used on operating systems such as Windows, on medium and large companies’ internal systems, and everywhere where it is supposed that there will be different types of users with different duties and needs.

Authentication and Authorization in ASP .NET Forms

ASP .NET has some inbuilt code that can handle essential parts of the logic behind these processes.
Authentication is usually implemented using security cookies, validation algorithms, and a login page. While developers still need to take care of the login page, ASP .NET is responsible for the main behavior of the cookies and validation algorithms, and also provides defense against users who try to spoof their cookies or hack the application in any other conventional way.
When using ASP .NET, developers need to follow these three steps to implement the authentication functionality:

  • Set the authentication mode to forms authentication in the web.config file;
  • Restrict unauthorized users to access some pages or directories;
  • Create the login page.

Setting the authentication in the web.config file looks like that:

<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="MyLoginCookie"
                loginUrl="~/Login.aspx"
                protection="All"
                timeout="60" 
                path="/" />
        </authentication>
        ...
    </system.web>
</configuration>
  • name: the name of the authentication cookie. The default name is .ASPXAUTH. If more than one such cookie is used, the names of these cookies must be unique;
  • loginUrl: the login page file which we’ll create later;
  • protection: shows if the cookie is encrypted and/or validated. Possible values are: None, Validation, Encryption, and the default one – All;
  • timeout: shows the number of minutes before the cookie expires if the user is idle. The timer is refreshed upon every user action. The default value is 30;
  • path: defines the path for the cookie itself. To prevent confusion and errors, the default value (“/”) is advised.

The settings above do not prevent anyone from accessing anything at all. They just enable the form authentication. Developers need to define the authorization settings. Here’s a simple example:

<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="MyLoginCookie"
                loginUrl="~/Login.aspx"
                protection="All"
                timeout="60" 
                path="/" />
        </authentication>

        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>
        ...
    </system.web>
</configuration>

The question mark for <deny> means no anonymous users can access the application.
The asterisk is the default value for <allow> meaning that all users can access the application.

Controlling the access to a whole directory is done by simply putting another web.config file with appropriate rules inside that directory.

If developers need to restrict the access to a specific file, they need to add a <location> tag nested directly in the base <configuration> tag:

<configuration>
    <location path="SecuredPage.aspx">
        <system.web>
            <authorization>
            ...
        </system.web>
    </location>
</configuration>

The path defines the restricted file. For multiple files multiple <location> tags should be used.

Controlling access for different users is achieved by the <allow> and <deny> tags. For example, these settings

<authorization>
    <deny users="?" />
    <allow users="collinusername,jenniferusername" />
    <deny users="*" />
</authorization>

With these settings ASP .NET will deny all unauthenticated users, then it will allow users logged with the usernames listed in the allow tag, and finally, it will deny all other users. Usernames must be unique not only because the allow tag requires so, but also because all users should be stored in a database and their usernames can be used as primary keys.

The last step is to create a login page.
The code behind a really simple such page is the following:

<p>
    <asp:Label ID="UsernameLbl" runat="server" Text="Username "> 
    </asp:Label>
    <asp:TextBox ID="Username" runat="server"></asp:TextBox>
</p>
<p>
    <asp:Label ID="PassLbl" runat="server" Text="Password "> 
    </asp:Label>
    <input id="Pass" type="password" runat="server"/></p>
<p>
    <asp:Button ID="LoginBtn" runat="server" Text="Login" 
    OnClick="LoginBtn_Click" />
</p>
<asp:Label ID="StatusLbl" runat="server"></asp:Label>

And the logic behind it:

protected void LoginBtn_Click(object sender, EventArgs e)
{
    if (Username.Text == "collinsusername" && Pass.Value == 
    "correctPassword")
    {
        FormsAuthentication.RedirectFromLoginPage(Username.Text, 
        false);
    }
    else
    {
        StatusLbl.Text = "Incorect username or password";
    }
}

This code will log anyone in if they enter a combination of “collinsusername” as username and “correctPassword” as password. Otherwise, it will display a message stating that either is incorrect. The boolean in the RedirectFromLoginPage method defines if a persistent cookie should be created. It is advised to use false in this case as it is the more secure option.

The page will look like this:

Fig 1: Login page

If we want to have a logout option (which is a good thing to do), the code behind the log out will look like this:

private void LogOut_Click(Object sender, EventArgs e)
{
    FormsAuthentication.SignOut();
    Response.Redirect("~/Login.aspx");
} 

Was this post helpful?