Chapter 10
ASP.NET Security

An old adage among developers is that building security into software is like paying taxes. You know it鈥檚 important and you know you must do it sooner or later, but you put it off as long as you can and when you finally do it, you do so only because you have to. You might not go to jail for building insecure applications, but security is no less important because of it. In many applications鈥擶eb applications in particular鈥攕ecurity isn鈥檛 a luxury; it鈥檚 a necessity.

Security is a Big Deal in network applications because by nature those applications are available to (and vulnerable to misuse by and outright attacks from) a larger population of users. When the network an application is deployed on is the Internet, security becomes even more important because the list of potential users grows to about 4 billion. Web security is a broad and complicated subject. Much of the ongoing research in the field has to do with hardening Web servers against attacks. Administrators who work on networks where IIS is deployed are all too aware of the security holes in IIS and of the constant stream of patches and security updates from Redmond. But this chapter isn鈥檛 about protecting servers from buffer overruns and other hack attacks; it鈥檚 about using ASP.NET to build secure sites that serve up pages only to authorized users.

Most sites built with ASP.NET fall into one of three categories:

Sites that fall into the first category require no special protection beyond what the Web server provides. Sites in the second and third categories require some form of application-level security to identify authorized users and prevent illicit accesses. ASP.NET provides that application-level security. It works in conjunction with IIS and the Windows security subsystem to provide a solid foundation for building secure sites. And ASP.NET builds on what IIS has to offer to make deploying secure sites as easy as possible.