Franc Stratton's .NET (TM) Web Application, OOP, and SOA Architecture & Programming Site

A site devoted to ASP.NET (TM), SilverLight (TM) and Browser-Based WPF (TM) Applications, IIS Services, and OOP Architectures
Home     Architecture Overview     WF/WCF/WPF     Data Store     Standards     .NET Security     Resources     jQuery     Silverlight     Developer Tips     Blog     Site Map      
Input validation
Authentication
Forms Authentication
Authorization
Configuration Mgt
Sensitive Data
Session Mgt
Cryptography
Parameters
Exception Mgt
Auditing/Logging
SQL Injection
Cross-site Scripting
String Validation
Configuration management to help prevent access

If IIS is configured to use anonymous authentication, IIS authenticates the user and creates a Windows token to represent the user. IIS determines the authentication mode that it should use for a particular application by looking at IIS metabase settings. A token for the IUSR_MACHINE account is generated and then used to represent the anonymous user. IIS-then passes the token to ASP.NET running on IIS, and its runtime determines the Forms Authentication setup from the application Web.config file. Typically, a Web.config file setup for Forms Authentication would contain:

 

<!--

    The <authentication> section enables configuration

    of the security authentication mode used by

    ASP.NET to identify an incoming user.

-->

<machineKey validationKey="123FFF8CF7F466FB253AF78C5AFC96A8CC874B2A9F3DF662F0DE3A57A62486FDF253397E3BE61A3098EA7A6543E8407661DD2A5DA009840A7EE2DA5EA99B7F010" decryptionKey="B715956BF9F134BF9E6771E610C237DD1DA49CBE345B2BB1F0413C630D1B5822" validation="SHA1" decryption="AES"/>

<authentication mode="Forms">

<forms

    cookieless="UseCookies"

    loginUrl="http://YourServer/Login/Login.aspx"

    name=".YourWebApp001"

    timeout="20"

    path="/"

    protection="All"

    slidingExpiration="false"

    enableCrossAppRedirects="false">

</forms>

</authentication>

<authorization>

      <deny users="?"/>

</authorization>