Security is one of the most important concerns in application software development. Building a robust security model is one of the most important factors that drive the success of application software. As far as security in ASP.NET is concerned, three terms come into my mind, i.e., Authentication, Authorization and Impersonation. Put simply, authentication authenticates the user’s credentials and authorization relates to the resources that an authenticated user has access to. This article is the first in a series of articles on ASP.NET security and discusses these concepts and their applicability.

Let us start our discussion with a brief outline on the sequence of events are as far as authentication and authorization are concerned when a new request comes in. When a new request arrives at IIS, it first checks the validity of the incoming request. If the authentication mode is anonymous (default) then the request is authenticated automatically. But if the authentication mode is overridden in the web.config file settings, IIS performs the specified authentication check before the request is passed on to ASP.NET.

ASP.NET then checks whether Impersonation is enabled or not. We will discuss impersonation later in this article. If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing the task; otherwise, the application executes with the identity of the IIS local machine and the privileges of the ASP.NET user account. Finally, the ASP.NET engine performs an authorization check on the resources requested by the authenticated user and if the user is authorized, it returns the request through IIS pipeline.
The following section discusses Authentication, Authorization and Impersonation and how we can implement them in ASP.NET applications.

Authentication determines whether a user is valid or not based on the user’s credentials. Note that a user can be authorized to access the resources provided the user is an authenticated user. The application’s web.config file contains all of the configuration settings for an ASP.NET application. An authentication provider is used to prove the identity of the users in a system.
There are three ways to authenticate a user in ASP.NET:
* Forms authentication
* Windows authentication
* Passport authentication

Forms Authentication
This is based on cookies where the user name and the password are stored either in a text file or a database. It supports both session and persistent cookies. After a user is authenticated, the user’s credentials are stored in a cookie for use in that session. When the user has not logged in and requests for a page that is secured, he or she is redirected to the login page of the application. The following code snippet illustrates how this can be implemented in ASP.NET.

Note that the symbol “?” indicates all Non Authenticated and Anonymous users. Typically, the user enters the username and the password, clicks the login button and the form validates the values against values from that stored in a persistent store, usually a database. The following code snippet illustrates how this can be validated.

String username = txtUserName.Text;
String password = txtPassword.Text;
bool isUserValid = false;
//Code to validate the user name and password

FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False);

else // User is not valid

lblMessage.Text = “Invalid login…”;

The RedirectFromLoginPage method creates an authentication ticket and is used to redirect an authenticated user back to the originally requested URL or the default URL. The following code snippet illustrates how we can specify the user’s credentials in the application’s web.config file.

However you choose the above technique of authentication you should provide a means of encrypting the configuration file for security reasons. I will discuss these and other issues in the forthcoming articles in this series of articles on ASP.NET Security.

You can also use Forms Authentication to verify the user’s credentials using a database where the user’s credentials are stored. The following code example illustrates how this can be achieved. The method ValidateUserCredentials accepts a user name and the password, connects to the database where the user’s credentials is stored and verifies whether the supplied user’s credentials are correct.

private bool ValidateUserCredentials(String userName, String password)
// Connect to the database where the user credentials are stored and then verify whether the user’s credentials that
// are passed as parameters to this method are correct. The method would return true if success, false otherwise.

The above method can be called as illustrated in the code snippet below.

bool isAuthenticatedUser = false;
isAuthenticatedUser = ValidateUserCredentials(txtUserName.Text,txtPassword.Text);
catch(Exception ex)
//Some typical exception handling code

if (isAuthenticatedUser = = true )
//The user is authenticated, hence, redirect to the appropriate web form and/or display appropriate messages to the user

//Display appropriate messages to the user indicating that the user is not authenticated

Windows Authentication
Windows Authentication is used to validate a user based on the user’s Windows Account; however, this is only applicable in intranet environments where the administrator has full control over the users in the network. The following code snippet illustrates how we can implement Windows Authentication in ASP.NET.

Note that the symbol “*” indicates all users inclusive of Authenticated and Anonymous users.
Windows authentication can be of the following types
* Anonymous Authentication
* Basic Authentication
* Digest Authentication
* Integrated Windows Authentication

1. In the Anonymous Authentication mode IIS allows any user to access an ASP.NET application without any authentication checking.
2. In Basic Authentication mode users will be required to provide the Windows user name and password; however, this is very insecure.
3. The Digest Authentication mode is identical to Basic Authentication with the exception that the password is hashed before it is sent across the network.
4. In Integrated Windows Authentication mode, the passwords are not sent across the network; rather, the application uses some network authentication protocols for it to operate.

Passport Authentication
Passport authentication is a centralized authentication service that uses Microsoft’s Passport Service to authenticate the users of an application. It allows the users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. The following code snippet illustrates how we can implement Passport Authentication in ASP.NET.

Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work on authenticated users, hence ensuring that no un-authenticated user can access the application. The syntax for specifying authorization in ASP.NET is as follows.

In ASP.NET, there are the following types of authorizations.

* URL Authorization
* File Authorization
* Authorization based on ACLs (Access Control List)

1. File Authorization is performed by the FileAuthorizationModule, and is active when the application is configured to use Windows authentication. It checks the access control list ( ACL ) of the file to determine whether a user should have access to the file. ACL permissions are verified for the Windows identity or, if impersonation is enabled, for the Windows identity of the ASP.NET process.

2. URL authorization is performed by the URLAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application (typically directories) for specific users or roles.”
3. Authorization like authentication is specified in the web.config file of the application. The following is an example of how we can use authorization in ASP.NET using the application’s configuration file.

It is also possible to specify the location to which the authorization settings defined in that particular location is applicable. Refer to the following code snippet that illustrates this.

You can also restrict or grant a GET or POST to one or more users of the ASP.NET application. The following code snippet illustrates how we can allow the user “Kapil” to do a POST while the other users can do only a GET.


According to MSDN, “When using impersonation, ASP.NET applications can optionally execute with the identity of the client on whose behalf they are operating. The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code. Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate the user and either pass an authenticated token to the ASP.NET application or, if unable to authenticate the user, pass an unauthenticated token. In either case, the ASP.NET application impersonates whichever token is received if impersonation is enabled. The ASP.NET application, now impersonating the client, then relies on the settings in the NTFS directories and files to allow it to gain access, or not. Be sure to format the server file space as NTFS, so that access permissions can be set”.

Note that Impersonation is disabled by default and can be specified in the web.config file as shown in the code snippet given below.


To impersonate a particular identity, specify the following in your application’s web.config file.