Security Concerns...

From: Alex (abrizuela@cauinsure.com)
Date: 12/09/02 

From: "Alex" <abrizuela@cauinsure.com>
Date: Mon, 9 Dec 2002 16:48:20 -0500

Hi all.

I am new to ASP.NET and its security framework.
Have used Site Server for security purposes in the past.

2 concerns I have while implementing our ASP.Net site using Forms
Authentication.

1. I find strange that the the actual credential authentication is
decoupled from
    the authentication ticket (cookie) creation (and redirection). That is,
it is possible
    to call FormsAuthentication.RedirecFromLoginPage and allow
    access without really having to call FormsAuthentication.Authenticate to
verify
    credentials. Seems to me like a less secure system than if the 2 steps
were coupled.

    Again, being new to this, this just gives me an uneasy feeling. Unless
there is something
    that I'm failing to see. Maybe there is another way to enforce that the
authentication cookie
    creation doesn't happen unless the credentials have been verified first
against the credential
    store.

2. The other thing I find strange (again I'm a newbie) is why by default,
only aspx content is
     protected with forms authentication. If I have other files (like htm
or gif) in my secure
     content folder, these are not protected. I have to go map the file's
extensions to use the
     asp.net dll before they can become protected. Seems contrary to the
'lock everything
     first and open up as needed' security premise. Is this because of
performance issues?
     Is there a way to have all files be secured by default? Something such
as mapping *.*
     to the aspnet.dll in the web mappings so everything is protected.
Again, maybe there
     is something I am failing to see.

Any comments to help set me straight would be appreciated.
thanks in advance.

    -alex b

Relevant Pages

  • problem with IIS6 pass-through authentication
    ... I can't manage to get the "pass-through authentication" feature of IIS ... security settings: only user "user_x" has full access, ... authenticated user's credentials when validating the access to the ... "edit" button and select only the option "integrated windows ...
    (microsoft.public.inetserver.iis)
  • Re: Webapp Authentication best practice...
    ... These are clients that are accessing the Web app via the INTERNET. ... so you can't use Windows authentication. ... In that case, you have a serious security issue, it's your job to authenticate incoming users in the strongest possible fashion, failing to do so leaves yourself wide open to attack! ... I doubt that it is good practice to capture and retain their credentials ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Security Concerns...
    ... Forms authentication was designed to support wide range of possible backend ... > Have used Site Server for security purposes in the past. ... Seems to me like a less secure system than if the 2 ... creation doesn't happen unless the credentials have been verified ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: avoid multiple IIS logins with NT Auth.
    ... > the authentication and credential verification according to security ... You are responsible for choosing the right security protocol ... the problem comes down to "why should server B trust that ... > browser behavior on #1 to always hand the credentials over to the remote ...
    (microsoft.public.inetserver.iis)
  • Solaris Security Summary
    ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
    (comp.unix.solaris)