Chat
Topic : Building Secure Web Applications using ASP.NET 2.0 ("Whidbey") Chat Expert : Gaurav Khanna
March
9, 2005
subhashini
(Moderator):
Hi all the chat starts at 5.00 pm IST subhashini
(Moderator):
hello everbody . A very good evening to all of you. subhashini
(Moderator):
welcome to today's chat on Building Secure WebApplications using Whidbey subhashini (Moderator):
We have Gaurav Khanna with us today Gkhanna
( Expert):
Hello All! subhashini (Moderator):
Yup, I am sure most of you already know him subhashini
(Moderator):
:-) But to give a quick brief about him subhashini
(Moderator):
Gaurav is with Microsoft as a Developer Evangelist subhashini
(Moderator):
Gaurav works as a Communities Developer Evangelist at Microsoft. He
owns the developer events, like TechED, MSDN, DevDays, that Microsoft
executes in India, in addition to working with developer communities
across the country to help them understand and use Microsoft technologies
better and be more productive. Before joining Microsoft, Gaurav worked
with Hewlett Packard as a Software Engineer in the Telecom BU and
was a MVP for over 2 years. He speaks at various Microsoft events,
runs www.wintoolzone.com <http://www.wintoolzone.com>
and occasionally writes for IT publications in the country. Gkhanna
( Expert):
Whidbey is the code name for the next version of the .NET FX subhashini
(Moderator):
Now before we start a few chat rules subhashini
(Moderator):
Please refrain from sending any private messages to the expert during
the chat subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will
respond to as many questions as they can. Please understand that there
may be some questions we cannot respond to due to lack of information
or because the information is not yet public. We encourage you to
submit questions for our Experts. We ask that you stay on topic for
subhashini (Moderator):
the duration of the chat. This helps the Guests and Experts follow
the conversation more easily. We invite you to ask off topic questions
after this chat is over. subhashini (Moderator):
So let's get the chat rolling subhashini
(Moderator):
Hi gaurav Gkhanna ( Expert):
Thank you Subhashini Gkhanna ( Expert):
And good evening to all of you. Gkhanna
( Expert):
With the good amount of you here, implies that you do work with ASP.NET Gkhanna ( Expert):
and want to know how we have worked towards making it a better developer
tool Gkhanna ( Expert):
for building secure web apps Gkhanna (
Expert):
So, let me give a brief backgrounder to the enhancements in ASP.NET
2.0 from a secure web-app dev perspective Gkhanna
( Expert):
I am sure you all develop (more often than not) web apps Gkhanna
( Expert):
which require authenticated users to be able to use the web app. Gkhanna ( Expert):
For this, you would be using Forms Authentication, many-a-times if
not all, Gkhanna ( Expert):
to protect your web applications from use by unauthenticated users. Gkhanna ( Expert):
Now - the first enhancement that we have done in ASp.NET 2.0 Gkhanna
( Expert):
is to add support Gkhanna ( Expert):
for using Forms Authentication without cookies. Gkhanna
( Expert):
For those who are not very familiar with how Forms Authentication
works, here's a little intro... Gkhanna
( Expert):
When u navigate to a protected page Gkhanna
( Expert):
ASP.NET (when Forms Authentication is in use) checks whether the user
has been authenticated or not.. Gkhanna
( Expert):
by checking the presence of a cookie on your system Gkhanna
( Expert):
if the cookie is not found, or is found but is time-expired, you are
redirected to the login page Gkhanna (
Expert):
But what if your browser doesnt support cookies? As of today, forms
authentication will not work without cookies. Gkhanna
( Expert):
But with ASP.NET 2.0 we have added support in Forms Authentication
and its APIs to support the cookieless mode. Gkhanna
( Expert):
Now, onto the architectural enhancement in ASP.NET 2.0 Gkhanna
( Expert): Q: What are the architectural changes
made in ASP.NET 2.0 that makes it secure when compared to the 1.1
version. A: For every web app that requires users to logon,
more often than not, you end up writing APIs that take in user credentials
in the presentation tier, send them to the middle tier which then Gkhanna ( Expert): Q:
What are the architectural changes made in ASP.NET 2.0 that makes
it secure when compared to the 1.1 version. A: uses a Data
Access Layer (DAL) to work against the database schema (eg. executing
Select query against the table) that is also created by you. Gkhanna
( Expert): Q: What are the architectural changes
made in ASP.NET 2.0 that makes it secure when compared to the 1.1
version. A: Now, if you notice, you have created the DB
schema, the DAL and the APIs. this is typically a generic framework
that is required by any web app that you develop which requires th
euser to login. Plus you will be writing APIs to Gkhanna
( Expert): Q: What are the architectural changes
made in ASP.NET 2.0 that makes it secure when compared to the 1.1
version. A: to manage the credentials in the DB, create
new users, forgot password stuff, and so on. Gkhanna
( Expert): Q: What are the architectural changes
made in ASP.NET 2.0 that makes it secure when compared to the 1.1
version. A: Since this is required by practically every
web app, we thought about including this natively Gkhanna
( Expert): Q: What are the architectural changes
made in ASP.NET 2.0 that makes it secure when compared to the 1.1
version. A: in ASP.NET 2.0 natively so that you will have
the APIs out of the box that can be configured to Gkhanna
( Expert): Q: What are the architectural changes
made in ASP.NET 2.0 that makes it secure when compared to the 1.1
version. A: authenticate users against your custom schema Gkhanna ( Expert): Q:
What are the architectural changes made in ASP.NET 2.0 that makes
it secure when compared to the 1.1 version. A: or against
the default schema which ASP.NET 2.0 creates. Gkhanna
( Expert): Q: What are the architectural changes
made in ASP.NET 2.0 that makes it secure when compared to the 1.1
version. A: Data stores used to store this information
are MS Access, SQL Server and Windows Security Accounts Database. Gkhanna ( Expert): Q:
What are the architectural changes made in ASP.NET 2.0 that makes
it secure when compared to the 1.1 version. A: But if you
want to use some other DB, or have custom schema, you can implement
some new interfaces that we have introduced and write your own provider. Gkhanna ( Expert): Q:
What are the architectural changes made in ASP.NET 2.0 that makes
it secure when compared to the 1.1 version. A: Thus, you
will have a common set of API that can work against any DB, and do
all the plumbing work for you - letting you focus on the business
problem. Gkhanna ( Expert): http://www.microsoft.com/india/msdn/events/presentations.aspx#feb05 Gkhanna ( Expert):
Check this link for the PPT that we talked about in Feb against this
very topic Gkhanna ( Expert): Q: Is the authentication checked with passport or Active Directory? A: Authentication can be configured for Windows Authentication
or custom using the DB schema. Gkhanna
( Expert): Q: Question - ASP.NET 2.0 can be
customised to work with and without cookies for Forms Authentication
or can be programmed during runtime, if browser does not supprt cookie? A: You can specify the "cookieless" mode attribute
in web.config to use "auto" mode - it will automatically
set the right attribute at runtime - with cookies or without one. Gkhanna ( Expert): Q:
What's the enhancement in security to authorise user sessions? A: Forms Authentication is there - also, we have introduced
the Role Manager API that will allow one to let features of your web
application depending upon what role you are in. Gkhanna
( Expert): Q: Can you list us apart from the
Authentication arena, what are the security features that have been
introduced in ASP.NET 2.0? A: Role Manager API is another
enhancement - it allows you to define application specific roles that
can be used to give conditional web application feature access. Roles
can be taken from Access/SQLServer/AuthorizationManager. Gkhanna
( Expert): Q: ASP.NET 2.0 is still in beta ot
not? A: Yes - its still in beta. Gkhanna
( Expert): Q: What r the basic securities provided
in the ASP.NET A: This link should help you out - http://msdn.microsoft.com/asp.net/articles/security/default.aspx Gkhanna ( Expert):
Apart from this Gkhanna ( Expert):
we have also introduced couple of new "security" server
controls. Gkhanna ( Expert): Q: ASP.NET introduces new set of controls for security, can
you pl. explain how does it work and how can it help improve coding
productivity? A: Suppose you have to login a user. Today,
you will be dragging two textboxes and button to take the credentials
input and then write code at the server side to authentication the
user. Gkhanna ( Expert): Q: ASP.NET introduces new set of controls for security, can
you pl. explain how does it work and how can it help improve coding
productivity? A: The new "Login Control", for
instance, will have all this built in. you will simply need to drag
and drop it on your web form from the toolbox and just use it. To
authenticate the user, the control will use the new "Membership"
API Gkhanna ( Expert): Q: Is the any option for "File Compression" like
win zip in the new ASP.NET 2.0 A: Nope - not in ASP.NET 2.0, but the .NET FX FCL will be containing
support for the same. The new System.IO.Compression namespace will
support it. Check this link - http://msdn2.microsoft.com/library/3z72378a.aspx Gkhanna
( Expert): Q: How security auditing is supported
in ASP.NET 2.0 A: Security auditing is part of the core
OS - not ASP.NET 2.0 Gkhanna ( Expert): Q: Roles are SQL Server roles or are they windows security
roles? Can you please elaborate on the Role Manager API? A:
Nope - they are not SQL Server roles. They can be any application
specific role that you create, like Finance Manager, Account, etc.
They can, however, be stored in SQL Server or can be picked up from
AuthMan. Gkhanna ( Expert): Q: GKhanna, You will be using many a times APIs, but those
things will be some method or property, Could you please tell me how
many such APIs are there in the end of the chat? A: Check this Memberhsip API documentation for details - http://msdn2.microsoft.com/library/dazakw52.aspx Gkhanna ( Expert): Q:
Question - Is there any new feature in ASP.NET 2.0 on cryptography
front?.NET 1.1 already provides support for public key cryptography A: When ASP.NEt stores the passwords in the data stores it
hashes them. However, per se, no enhancement in ASP.NET for Crypto.
that will be in the core FCL. Gkhanna
( Expert): Q: Can you please explain how cookie
less issues are handled in ASP.NET 2.0? A: When working
in the Cookieless mode, ASP.NET generates a unique ID Gkhanna
( Expert): Q: Can you please explain how cookie
less issues are handled in ASP.NET 2.0? A: This unique
ID is put in the URI and is used as the identifier for the authenticated
user instead of the cookie that will be used in cookie mode. Gkhanna
( Expert): Q: What are other enhansements in
ASP.NET 2.0 except Security/Authentication....? A: Master
Pages, Themes, More server controls, Personalization API, web admin
panel for each ASP.NET 2.0 web app that is created are some of the
enhancements. Gkhanna ( Expert): Q: Where do I get a list of All ASP.NET Supported APIs? A: For ASP.NET 2.0, check http://msdn2.microsoft.com/library Gkhanna ( Expert): Q:
Where exactly the inforamtions are stored. suppose if it is in sql
server, how secured it is.? A: ASp.NET creates its own
storage schema on SQL Server, with different relationships for the
created tables. The information is secured by enablign access for
relevant user (typically, only ASP.NET user account). Gkhanna
( Expert): Q: Any enhancements on Code Access
Secuirty in ASP.NET 2.0? A: CAS is part of the core FCL,
not ASP.NET 2.0. Nope, no exceptional changes to that part of the
system yet. Gkhanna ( Expert): Q: I'm sorry this is not concerned with the current context,
but is there any way to debug an IIS hosted remoting application A: Lets take this offline. Gkhanna
( Expert): Q: is there any updation in Catching
in asp 2.0 A: You probably meant caching. Nothing much
there - but with SQL Server 2005, there is a caching support implemented
to prevent roundtrip for queries that return results that dont change
very often, to improve performance. Gkhanna
( Expert): Q: how secure all these user authentication
in MS Access Database which is file based? A: Even in access,
credentials and other data is hashed. But if you give everyone access
(NTFS security ACL) to the file, then there will be no security ofcourse. Gkhanna ( Expert):
Any more questions on ASP.NEt 2.0 Security ? subhashini
(Moderator):
We have the last 15 minutes of the chat. You can also email Gaurav
at gkhanna@microsoft.com Gkhanna ( Expert): Q: where do we get ASP.NET 2.0 materials (in the net)? A:http://msdn2.microsoft.com/library/ Gkhanna
( Expert): Q: Is the security server control
is customizable A: Yes - each security server control can be customized to
different extents. Have a look at this link - http://msdn2.microsoft.com/library/d51ttbhx.aspx Gkhanna ( Expert): Q:
u mentioned abt cokkie less environement A: Yes - what
about it? Gkhanna ( Expert): Q: If I have access the aspx & can access data, and the
application has 4 tiers (1-> presentation, 2-> application,
3->Cache data, 4-> Database) Now the data is travelling from
all this locations, how can we secure the data moving from 1 location
to another? A: Couple of ways - use SSL, encrypt the data,
secure remoting calls... Gkhanna ( Expert): Q: u mentioned abt cookie less environment that its gonna generate
a UId and pass it with Url.. i just wanted to make my self clear on
this a bit ..is it gonna be like a query string.. A: Nope
- query strings are after the URI - for eg. http://localhost/default.aspx?var=value.
Query string comes after the "?". The ID will be part of
the URI - http://localhost/{(236892eghfjkrehgjkhergij)}/default.aspx?var=value Gkhanna ( Expert): Q:
can u elaborate a bit on secure remoting calls? A: Use
.NET Remoting channels that support data transmission in secure manner. Gkhanna ( Expert): Q:
what do you mean by API in dotNet World when compared to win32 API? A: API remains the same - Application Programming Interface.
For .NET FX, its managed in nature; for Win32, it remains unmanaged. Gkhanna ( Expert): Q:
If I have access the aspx & can access data, and the application
has 4 tiers (1-> presentation, 2-> application, 3->Cache
data, 4-> Database) Now the data is travelling from all this locations,
how can we secure the data moving from 1 location to another? A: I answered this earlier. Gkhanna
( Expert):
To know more about ASP.NET 2.0, check this link - http://msdn2.microsoft.com/library/98wzsc30.aspx Gkhanna ( Expert): Q:
After installing Visual Studio where can I see all the APIs? (sorry
to ask only on APIs) A: In the MSDN Documentation that
you install. subhashini (Moderator):
So we have almost come to the end of the chat. And I hope all of you
found the chat informative subhashini
(Moderator):
and useful. subhashini (Moderator):
I thank Gaurav and all of you for taking time from your hectic schedules subhashini (Moderator):
to join this chat subhashini (Moderator):
We have completed more than three months since we started this chat.
Feel free to email your feedback subhashini
(Moderator):
about these chats to commind@microsoft.com subhashini
(Moderator):
Gaurav , thanks for thsi great chat subhashini
(Moderator):
Thanks to all of you for attending this chat. Gkhanna
( Expert): Q: There is an issue of Session expiration
when we have file access type of utility like anti virus soft etc
on IIS server where site is uploaded, is there any solution in ASP.NET
2.0 regarding this? A: That happens since the file are
modified by the anti-virus and this is monitored by ASP.NET - which
actually creates a new AppDomain in which the code executes. Hence,
the loss. ensure such software dont modify the file (even the file
times). Gkhanna ( Expert): Q: I am not askin about the information, I want to know which
DLLs contains all these things. Just like API Text Viewer in Visual
Studio 6.0 A: None in .NET FX for the moment. Gkhanna
( Expert):
Well- thank you all. Gkhanna ( Expert):
Hope the chat was useful to you. subhashini
(Moderator):
The transcript of this chat would be uploaded on http://www.microsoft.com/india/communities/chat/Transcripts.aspx subhashini (Moderator):
yes, we are planning to have few chats on SQL Server 2005 subhashini
(Moderator):
this month. subhashini (Moderator):
So bookmark the url : http://www.microsoft.com/india/communities/chat/default.aspx
to be updated subhashini (Moderator):
about the forthcoming chats subhashini
(Moderator):
Once again thanks Gaurav. subhashini (Moderator):
And all of you have a lovely evening subhashini
(Moderator):
Please feel free to pour in your feedback and comments about these
chats at commind@microsoft.com subhashini
(Moderator):
Thank you :-) and see you all again next week for the chat on Serialization
in .NET
