ASP.NET Forms Authentication in version 2.0

RELATED CONTENT Application Security Are SQL injection attacks really a big software security risk? Beating software's cross-site scripting, authentication problems Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? Security testing sales, marketing websites Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Open source application security testing tools Building security into the SDLC (Software development life cycle) ALM boundaries are expanding in application development Top software testing and quality assurance news stories from 2009 Aligning business goals with Focus Stories Which requirements have the greatest effect on quality in software development? How to write an SRS document for three different databases Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary SQL injection  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Dan Cornell Pose a Question Other Software Quality Categories Meet all Software Quality Experts Become an Expert for this site

ANSWERED March 2006:
ASP.NET application security has benefited from features in Forms Authentication for version 2.0. In short, ready-made UI components and data management implementations have made it a lot simpler to add mature authentication and authorization capabilities to your Web applications.

ASP.NET 2.0 adds a number of components with ready-made implementations of functionality that had to be built by hand in the ASP.NET 1.1 version. Examples of these include login forms, user creation wizards and password recovery logic. By providing these capabilities out of the box, it is faster to get secure Web applications up and running, and the use of the security-tested ASP.NET framework controls is typically going to be preferable over hand-coding new implementations for each new application.

ASP.NET application security resources Forms Authentication -- Chapter 5, Professional ASP.NET 2.0 Security, Membership and Role Management Login and user management controls in ASP.NET Migrating users and passwords to ASP.NET 2.0

Previously, applications using Forms Authentication had to create and maintain their own data store for users and their roles. These were typically stored in a couple of tables in a database such as Microsoft SQL Server. In ASP.NET 2.0, implementations are provided to handle these ubiquitous tasks for both Microsoft Access as well as Microsoft SQL Server. The specifics of accessing these data stores are hidden behind interfaces employing the Provider design pattern, so while most applications will be satisfied with the SQL or Access versions, it is straightforward to create new implementations if the user and role data are stored in another data store such as an LDAP directory or XML files.

By using these new controls and ready-made data storage implementations, it is a lot faster to get Forms Authentication-based applications up and running. This is a benefit to both developer productivity as well as application security.