Reviewing Code for Authentication - Revision history

Rahimjina: Review

2008-08-26T21:22:19Z

Review

Jcmax: Classic ASP technology inclusion

2008-06-07T23:57:26Z

Classic ASP technology inclusion

Wichers: Authentication (Code review) moved to Reviewing Code for Authentication

2007-01-26T20:31:47Z

Authentication (Code review) moved to Reviewing Code for Authentication

EoinKeary at 09:10, 9 January 2007

2007-01-09T09:10:25Z

Raj28 3 at 11:01, 7 December 2006

2006-12-07T11:01:18Z

New page

== '''Introduction''' ==
“Who are you?” Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.

Depending on your requirements, there are several available authentication mechanisms to choose from. If they are not correctly chosen and implemented, the authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.

== '''Authentication''' ==
In the .NET, there is Authentication tags in the configuration file.

The <'''authentication'''> element configures the authentication mode that your applications use.

<'''authentication'''>

The appropriate authentication mode depends on how your application or Web
service has been designed. The default Machine.config setting applies a secure
Windows authentication default as shown below.

''' authentication Attributes:mode="[Windows|Forms|Passport|None]" '''

<authentication mode="Windows" />

''' Forms Authentication Guidelines '''
To use Forms authentication, set mode=“Forms” on the <authentication> element.
Next, configure Forms authentication using the child <forms> element. The
following fragment shows a secure <forms> authentication element configuration:

<authentication mode="Forms">
<forms loginUrl="Restricted\login.aspx" Login page in an SSL protected folder
protection="All" Privacy and integrity
requireSSL="true" Prevents cookie being sent over http
timeout="10" Limited session lifetime
name="AppNameCookie" Unique per-application name
path="/FormsAuth" and path
slidingExpiration="true" > Sliding session lifetime
</forms>
</authentication>

Use the following recommendations to improve Forms authentication security:
* Partition your Web site.
* Set protection=“All”.
* Use small cookie time-out values.
* Consider using a fixed expiration period.
* Use SSL with Forms authentication.
* If you do not use SSL, set slidingExpiration = “false”.
* Do not use the <credentials> element on production servers.
* Configure the <machineKey> element.
* Use unique cookie names and paths.

@@ Line 50: / Line 50: @@
 * Use unique cookie names and paths.
-For classis ASP pages authentication is usually peformed manually by including the user information in session variables after validation against a DB, so you can look for something like:
+For classic ASP pages, authentication is usually performed manually by including the user information in session variables after validation against a DB, so you can look for something like:
   Session ("UserId") = UserName
   Session ("Roles") = UserRoles
 [[Category:OWASP Code Review Project]]

← Older revision		Revision as of 09:10, 9 January 2007
Line 49:		Line 49:
	* Configure the <machineKey> element.		* Configure the <machineKey> element.
	* Use unique cookie names and paths.		* Use unique cookie names and paths.
		+	[[Category:OWASP Code Review Project]]

← Older revision	Revision as of 20:31, 26 January 2007
(No difference)