First and foremost, in ASP.NET it is important to use the built-in Forms Authentication rather
than rolling your own authentication framework. This gives you plenty of flexibility in
constructing your login routines and you can still rely on the sophisticated authorization
features provided by the ASP.NET framework.
Also, if you are using ASP.NET 2.0, Forms Authentication has been greatly enhanced
by providing a number of ready-made user controls for user logins, password recovery and new user
creation. Pre-existing user databases and login routines have been created for Microsoft Access and
Microsoft SQL Server, and other user data sources can be created by implementing your own
Membership and Role Providers. Relying on these built-in framework capabilities reduces the amount
of code that has to be written, decreases implementation time, and helps reduce the number of
security flaws in your applications.
Next, be sure to run your login routines over HTTPS. This prevents
malicious attackers from observing or modifying login traffic that would reveal sensitive username
and password information.
When designing an authentication scheme, you also want to make sure you are requiring the right
credentials. The standard username/password authentication scheme has its flaws, but it is probably
not going away any time soon. However, you should be careful not to use semi-public information
such as Social Security numbers or driver license numbers for usernames. These are too easy to
guess or steal and can lead to brute force attacks. You should also require some form of strong
passwords. Preferably, passwords will be of arbitrary length and require alphabetic, numeric and
special characters. This makes them difficult to guess. Although, if you allow special characters,
take care that these characters don't open your application up to injection
If you have to implement your own username and password verification routines (for example if
you are using ASP.NET 1.1 or if you are creating custom Providers in ASP.NET 2.0), be sure to
follow standard secure coding practices. All user input should be assumed to be evil and not to be
trusted. You should have set policies for what characters are acceptable for usernames and
passwords and user-supplied credentials should be positively validated to match these patterns
rather than just being checked for known "bad" characters. Watch for potential injection attacks
against data stores such as databases or LDAP directories
-- use stored procedures or parameterized queries.
Given the authentication and authorization capabilities built in to the ASP.NET platform, it is easier than ever to create secure login pages. By following some simple guidelines you should be able to reduce your attack surface and increase the security of your application.
This was first published in May 2006