An old adage among developers is that building security into software is like paying taxes. You know it鈥檚 important and you know you must do it sooner or later, but you put it off as long as you can and when you finally do it, you do so only because you have to. You might not go to jail for building insecure applications, but security is no less important because of it. In many applications鈥擶eb applications in particular鈥攕ecurity isn鈥檛 a luxury; it鈥檚 a necessity.
Security is a Big Deal in network applications because by nature those applications are available to (and vulnerable to misuse by and outright attacks from) a larger population of users. When the network an application is deployed on is the Internet, security becomes even more important because the list of potential users grows to about 4 billion. Web security is a broad and complicated subject. Much of the ongoing research in the field has to do with hardening Web servers against attacks. Administrators who work on networks where IIS is deployed are all too aware of the security holes in IIS and of the constant stream of patches and security updates from Redmond. But this chapter isn鈥檛 about protecting servers from buffer overruns and other hack attacks; it鈥檚 about using ASP.NET to build secure sites that serve up pages only to authorized users.
Most sites built with ASP.NET fall into one of three categories:
Sites whose content is freely available to everyone.
Internet sites that serve the general population but require a login before displaying certain pages. eBay is a great example of such a site. Anyone can browse eBay and view the ongoing auctions, but when you place a bid, eBay requires a user name and password. eBay also has a feature named 鈥淢y eBay鈥?that lets you review the auctions you鈥檝e bid on. Because My eBay pages are personalized for individual users and because they contain private information such as maximum bid prices, you must log in before viewing them.
Intranet sites that expose content to a controlled population of users鈥攁 company鈥檚 employees, for example鈥攚ho have accounts in a Windows domain (or set of domains). Sometimes these sites support a limited degree of Internet access too, so authorized users can access them from anywhere an Internet connection is available.
Sites that fall into the first category require no special protection beyond what the Web server provides. Sites in the second and third categories require some form of application-level security to identify authorized users and prevent illicit accesses. ASP.NET provides that application-level security. It works in conjunction with IIS and the Windows security subsystem to provide a solid foundation for building secure sites. And ASP.NET builds on what IIS has to offer to make deploying secure sites as easy as possible.