18.2. Developers Beware
This section discusses a list of recommendations that you should follow to secure your ASP.NET web application against malicious attacks. Several books could be written on this topic, however, this section will cover as many recommendations as possible to give you an overview of some of the practices you can follow to protect your application.
18.2.1. Know Your Users
Knowing your users takes the form of both authenticating and authorizing users accessing the web application. Authenticating the user means making sure the user is a member of your user safe-list that can access the application. On the other hand, authorizing a user means knowing what rights and privileges the user has that allows them to access resources in the application.
18.2.1.1. Authenticate Users
ASP.NET 3.5 offers several options for authenticating users. As you have seen throughout the previous chapters in the book, you can make use of Forms Authentication and Windows Authentication as out-of-the-box authentication types offered by ASP.NET, or you can develop your own custom authentication mode. Forms authentication is mainly configured when the application is accessed online by users that do not necessarily correspond to users present in the Active Directory (AD) of a domain controller. It is best suited for web applications that store the users' credentials in databases or any other suitable and secure data store. On the other hand, Windows authentication best suits local intranets ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.