Web-Application Security

Many web applications have portions that should be viewed or used only by certain users. In such applications, users must somehow identify themselves to the application so that the application can then determine what the users may access. In security terminology, the process of identifying the user is known as authentication. After authentication occurs, the system must determine whether the given user is permitted to access the requested resource. This is called authorization. The part of the application to be protected is known as a protected resource .


Authentication is the process by which a web application reliably discovers the identity of an application user. The purpose of discovering the user’s identity is to determine whether the user is authorized to access a given resource. Depending on the application, the accuracy of this process may be critical. An online-banking application, for example, must be quite sure that the user who claims to be you really is you before it allows the user to transfer all of your money to a bank in Bora-Bora. There are different ways that this can be done, depending on the type of application being written and on the level of protection required.

ASP.NET supports several authentication mechanisms:

Forms authentication

Allows the developer to design a login form that is presented to the user when she attempts to access a protected resource. If the user successfully logs in, the browser is directed ...

Get Programming Visual Basic .NET now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.