Secure Your Mobile Apps
Use forms authentication to secure ASP.NET mobile applications.
by Doug Thews
April 2003 Issue
Technology Toolbox: VB.NET, SQL Server 2000, ASP.NET
An often-overlooked ASP.NET feature is its built-in security plumbing, which you can use to secure any application easily with a minimal amount of coding. Providing integrated security in your ASP.NET application is a crucial element in preventing unauthorized access to your corporate data, while building customer confidence in the security of your company's business systems. In this article, I'll guide you through different ways to use forms authentication to secure your mobile applications.
ASP.NET makes securing applications much simpler than it was in Active Server Pages (ASP). It offers the plumbing for Web security, one portion of which is called forms authentication. Forms authentication is a cookie-based authentication process handled by ASP.NET, which allows you to replace the standard login screen and authentication business logic with your own customized version. ASP.NET handles the process of authenticating users automatically for each page request by enabling forms authentication on a Web or virtual directory. You no longer need to spend time putting additional script code or include files in your Web pages to check for this authentication manually.
ASP.NET provides three different types of authentication right out of the box: Windows-based authentication, Passport authentication, and forms authentication, which this article will focus on. Forms authentication is best suited for secure ASP.NET applications, because it doesn't restrict you from using any authentication source, such as an internal customer relationship management (CRM) or directory server. With forms authentication, ASP.NET sends all nonauthenticated user requests to a standard login page that you specify, and it handles the authentication process there. This provides the maximum amount of flexibility, because you're now in charge of authenticating the user against any data source you want.
Take a quick look at how ASP.NET processes incoming Web requests for a Web that's been secured with forms authentication. When users make a new Web request, ASP.NET checks to see if that user session has a valid authentication cookie for this Web. If not, ASP.NET redirects the user to the login page specified in the configuration process (more on that later).
You can perform forms authentication for both mobile and standard ASP.NET Web applications (see Figure 1 for the authentication process). You use the FormsAuthentication base class for all ASP.NET forms authentication. The MobileFormsAuthentication class has two unique methods—SignOut and RedirectFromLoginPage—that are designed specifically to support cookieless devices by appending appropriate authentication information to the appropriate URLs. Both methods are fairly interchangeable.
Back to top
|