Time outs are the only protection The most reliable way to prevent someone from

Time outs are the only protection the most reliable

This preview shows page 43 - 51 out of 69 pages.

Time-outs are the only protection. The most reliable way to prevent someone from spoofing your site with a stolen authentication cookie is to use an encrypted communications link (HTTPS).<forms ... loginUrl=" />This assumes the server supports HTTPS and Login.aspx is stored in a directory configured to use HTTPS.Caveat Emptor: ASP.NET does not protect HTML pages. Just renaming .html to .aspx to protect it.
Windows Authentication
Windows AuthenticationIt maps incoming requests to accounts on the Web server or in the Web server’s domain.Use it to serve content to a well-defined populace.Don’t use it to generically expose content to all comers over the Internet.Windows authentication on the front end is typically paired with ACL authorization (administrator controlled) on the back end. Can be also used with URL authorization (programmer controlled).
Windows AuthenticationCategories of Windows Authentication:Basic authentication: login, piggyback on HTTP. Digest authentication: login, piggyback on HTTP.Integrated Windows authentication: Windows login.SSL client certificates: limited primarily to intranet.
Basic AuthenticationAn HTTP standard (documented in RFC 2617, .)How it works:For the first time access, the Web server returns a 401 status code indicating what type of authentication is required.HTTP/1.1 401 Access DeniedServer: Microsoft IIS-5.0 . . .WWW-Authenticate: Basic realm="uakron.edu"A realmis a logical security space that encompasses all or part of a web site.The browser pops up a dialog box asking for a user name and password.
Basic AuthenticationIt concatenates the user name and password to an encoded string in the Authorization header of an HTTP request. Authorization: Basic SmVmZjppbWJhdG1hbg==The browser includes the same Authorization header in each future request to the same realm. IIS maps the user name and password to an account on the web server, producing an access token.The access token is used to perform ACL-based security checks.
Basic AuthenticationPros of Basic Authentication:It works with virtually all browsers.Easy to use.It works well with firewalls.Cons of Basic Authentication:Nothing prevents requests from being intercepted and used to gain access to your server.Some users consider pop-up dialogs intrusive.Better to be used with HTTPS, not HTTP.
Digest AuthenticationDocumented in RFC 2617 ().

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture