How to create a secure login page using ASP.NET

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? How do I set up a secure login page using membership in ASP.NET? Security testing sales, marketing websites Are there application security certification standards? Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Application security careers have bright future Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' Software testing tools and frameworks Performance testing tools - Commercial, less expensive and free Software Testing Ezines New IBM Rational, Tivoli integrated tools pair development with IT STPCon: Do reality checks on performance test products, panelists advise Demo: Using WebGoat, a free software testing tool Getting answers about OpenSTA script problems Defining core software regression tests Selecting the best tool for stress and load testing Required prerequisites for performance testing Surgient 7's self-provisioning promises software testers quick IT resource access

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary JUnit  (SearchSoftwareQuality.com) NUnit  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

First and foremost, in ASP.NET it is important to use the built-in Forms Authentication rather than rolling your own authentication framework. This gives you plenty of flexibility in constructing your login routines and you can still rely on the sophisticated authorization features provided by the ASP.NET framework.

Also, if you are using ASP.NET 2.0, Forms Authentication has been greatly enhanced by providing a number of ready-made user controls for user logins, password recovery and new user creation. Pre-existing user databases and login routines have been created for Microsoft Access and Microsoft SQL Server, and other user data sources can be created by implementing your own Membership and Role Providers. Relying on these built-in framework capabilities reduces the amount of code that has to be written, decreases implementation time, and helps reduce the number of security flaws in your applications.

Next, be sure to run your login routines over HTTPS. This prevents malicious attackers from observing or modifying login traffic that would reveal sensitive username and password information.

When designing an authentication scheme, you also want to make sure you are requiring the right credentials. The standard username/password authentication scheme has its flaws, but it is probably not going away any time soon. However, you should be careful not to use semi-public information such as Social Security numbers or driver license numbers for usernames. These are too easy to guess or steal and can lead to brute force attacks. You should also require some form of strong passwords. Preferably, passwords will be of arbitrary length and require alphabetic, numeric and special characters. This makes them difficult to guess. Although, if you allow special characters, take care that these characters don't open your application up to injection attacks.

If you have to implement your own username and password verification routines (for example if you are using ASP.NET 1.1 or if you are creating custom Providers in ASP.NET 2.0), be sure to follow standard secure coding practices. All user input should be assumed to be evil and not to be trusted. You should have set policies for what characters are acceptable for usernames and passwords and user-supplied credentials should be positively validated to match these patterns rather than just being checked for known "bad" characters. Watch for potential injection attacks against data stores such as databases or LDAP directories -- use stored procedures or parameterized queries.

Given the authentication and authorization capabilities built in to the ASP.NET platform, it is easier than ever to create secure login pages. By following some simple guidelines you should be able to reduce your attack surface and increase the security of your application.

More information
Forms authentication differences in ASP.NET 2.0
Learning Guide: Developing secure .NET applications
OWASP guide to building secure Web applications and Web services: Authentication