Franc Stratton's .NET (TM) Web Application, OOP, and SOA Architecture & Programming Site

A site devoted to ASP.NET (TM), SilverLight (TM) and Browser-Based WPF (TM) Applications, IIS Services, and OOP Architectures
Home     .NET Security     Standards     Data Store     Windows Form Apps     WF/WCF/WPF     jQuery     C# Developer Corner     Java Development     Site Map      
Input validation
Authentication
Forms Authentication
Authorization
Configuration Mgt
Sensitive Data
Session Mgt
Cryptography
Parameters
Exception Mgt
Auditing/Logging
SQL Injection
Cross-site Scripting
String Validation
Configuration management to help prevent access

If IIS is configured to use anonymous authentication, IIS authenticates the user and creates a Windows token to represent the user. IIS determines the authentication mode that it should use for a particular application by looking at IIS metabase settings. A token for the IUSR_MACHINE account is generated and then used to represent the anonymous user. IIS-then passes the token to ASP.NET running on IIS, and its runtime determines the Forms Authentication setup from the application Web.config file. Typically, a Web.config file setup for Forms Authentication would contain:

 

<!--

    The <authentication> section enables configuration

    of the security authentication mode used by

    ASP.NET to identify an incoming user.

-->

<machineKey validationKey="123FFF8CF7F466FB253AF78C5AFC96A8CC874B2A9F3DF662F0DE3A57A62486FDF253397E3BE61A3098EA7A6543E8407661DD2A5DA009840A7EE2DA5EA99B7F010" decryptionKey="B715956BF9F134BF9E6771E610C237DD1DA49CBE345B2BB1F0413C630D1B5822" validation="SHA1" decryption="AES"/>

<authentication mode="Forms">

<forms

    cookieless="UseCookies"

    loginUrl="http://YourServer/Login/Login.aspx"

    name=".YourWebApp001"

    timeout="20"

    path="/"

    protection="All"

    slidingExpiration="false"

    enableCrossAppRedirects="false">

</forms>

</authentication>

<authorization>

      <deny users="?"/>

</authorization>