Thursday, April 12, 2018

MVC Security

MVC Security
ASP .Net Identity can be used all ASP .Net frameword such as Web Form , MVC etc.

ASP .Net Identity has been developed with features like Two-Factor Authentication, Account Lockout, 
Account confirmation on mail, and Social Login like gmail, facebook. It is fully compliant with OWIN.
And we can manage role also using Identity.

Here are the packages we need to download for ASP.NET Identity 2.0.0:

Microsoft.AspNet.Identity.EntityFramework Version 2.0.0 - Contains EF implementations for identity types. These types are used to manage information for identity users, roles, claim login etc.

Microsoft.AspNet.Identity.Core Version 2.0.0 - Contains classes and interfaces for managing users and roles in ASP.NET Identity. It contains classes for User validation, User login information etc.

Microsoft.AspNet.Identity.OWIN -Version 2.0.0 - Contains classes used to manage identities associated with OWIN.

2. XSS attacl : It is cross site scripting attack. Any one can enter maicious html or java script coding in your site, and can steal the information.
To prevent this use AntiXSS dlll which provide Sanitiser class to verify if it is safe html entered by user(if required to enter html in any field.)

3.CSRF : Cross site forgery - If user once login in the Form Authentication your site will be sent the user browser an authetication cookie and every subsequent reuet of the site the user browser will send 
that cookie along and ASP .net will see the user is already authenticated. In the mean time user click on malicious link than that may send the request to the same site with same authentication cookie and can steal information.

So prevent this you should use ValidateAntirForgeryToken both side in html and on Action method.

No comments: