18.4. Summary

The first step in protecting an ASP.NET web application starts by knowing and trusting the users accessing your application and to decide whether they can access the private sections of the application. Once the users are authenticated, the application should decide on what each user can access from resources in the application and hence, authorize those users.

Once the end-user starts using the application and submitting data into the application, it is very important to validate the user input and consider any input sent into the application as potentially bad and malicious. Every input should be well-validated. Thoroughly validating user input helps protect the application from many threats, including Cross-Site scripting, SQL injection, Cross-Site Request Forgery, and many other types of attacks. Validating user input primarily means validating the type, format, length and range of the input data.

User input not only targets form fields, but also covers cookies and query strings. These should also be validated as normal user input data. Moreover, cookies should be handled with special treatment, which includes encrypting the data that you store in a cookie, setting a small expiration date on the cookie, and finally, making use of the Secure and HttpOnly public properties to help better protect the application's cookies.

Finally, securing the communication between the web server and the different clients, and between the web server and the database server using ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.