thefrozencoder

Programming and Technology blog

Rolling Your Own Custom Authentication For ASP.NET


Introduction

ASP.NET Membership combined with Forms authentication provides a convenient way to implement page protection and user authentication.  In some cases this you may want to create your own custom authentication implementation when specific requirements do not allow the built in authentication.  This post shows the basis and a starting point of building your own custom authentication mechanism using ASP.NET.

The code samples in this article can be downloaded using the link at the bottom of this post.  Samples were created using Visual Studio 2008 and using SQL Server 2005 Express.  There are samples for both C# and Visual Basic.NET in the download file as well as a word document version of this post.

Setup

Everything needed to run the samples should be present in the download files.  Before you run the project from VS set the Secure.aspx page as the start up page, when the site is run you should be redirected to the Login.aspx automatically.  From there you can use the login information

  • Login: user@login.net
  • Password: password

There is a setting in the web.config file to control the time in seconds it takes for a user's session to expire I have set this to a low number (5 seconds) for demonstration purposes so once you are logged in and the Secure.aspx page is displayed hit the refresh on your browser a couple of times then wait 5 seconds and do another refresh, you should be redirected to the Login.aspx page since your session has expired.

Requirements

First we will take a look at some common requirements that are typical of a authenticated web site.

  • The system must be able to deny access to all pages that are defined as being secure from anonymous users.
  • The system must be able to authenticate / validate a user before they have access to secure pages
  • Once a user has been authenticated the user will not have to enter credentials again to access secure pages
  • If the user is inactive for x minutes the system will log them out and they will have to login again
  • The logged in session for a user will only be active for the duration of the browser session or until requirement 4 has been met.

Based on our requirements we are going to need a way to store user information; specifically the login and password information.  As well we will need to store some form of a security token that the system creates after authentication and stores a copy of that token in the system as well on the user’s machine.  We store the systems copy of the token in a database and clients’ copy of the token in a cookie (this will cause issues if the client does not allow cookies but for this article that will not be addressed).  We will also need a simple way to implement our security logic for pages that need it.

System Database

Below is the system database tables to store the user information as well as a copy of the security token.

ClientData Table

  • ClientID - will store the unique identifier for the client (used internal to the system)
  • FirstName - will store the users first name
  • LastName - will store the users las name
  • Login - will store the user's login
  • Password - will the users password (tipically the users password is stored encrypted rather than plain text like in this sample)

ClientSessions Table (will store the security token for the user)

  • SessionGuid - will store the system created security token, this value must match the same token on the clients computer (cookie)
  • ClientID (optional) – will store the unique id from the ClientData table for the authenticated user (in some cases this cannot be stored as it may violate privacy laws by uniquely identifying a users session on a site)
  • SessionLastActiveDate – will store a timestamp when the last time the users session was validated
  • SessionTimeOut – will store in seconds how long since the last time the users session was validated before it will expire

User Validation

User validation takes place on the Login.aspx page when the user enters their credentials and the page is submitted.  The system will then query the ClientData table to find a match for the given login and password.  If a match is found the system then creates a security token, saves the token to both the system and the user’s machine via a cookie.  The system then redirects the user to one of the secure pages within the site.  If a match is not found the Login.aspx page displays a message to the user.

Session Validation

Session validation takes place whenever a user browses a page that is considered to be secure.  The page will ask the system if the user has validated by querying the ClientSessions table using the security token from the user’s cookie and match that token to possible existing token stored in the ClientSessions table.  If the session timeout has not expired since the last validation the session is updated with a new last active timestamp.  If the session has expired the user will be forced to the login screen.

Implementation

To implement the logic the following files have been added to an ASP.NET Web Site and shown below is the files that make up the solution

  • The SecurePage Class will implement our authentication logic and be implemented by each of the pages in our site
  • The DataHelper Class implements the data access to the system database
  • The SettingsHelper Class implements the data access to the web.config file for any configurable settings
  • The Sessions.mdf is the database where we will store our user data and the user token
  • The Login.aspx page is interface the user will use to authenticate
  • The Secure.aspx page is a page that the a user must authenticate first to view
  • The UnSecure.aspx page is a page that a user does not have to authenticate to view

SecurePage Class

Below is the implementation of the SecurePage class which all of pages in our site will implement.

  • Line 15 – implements the call made by secure pages to check if the user has been validated by the system to see the current page
  • Line 28 – implements the call made by the Login.aspx page to validate the user against the data in the ClientData table
  • Line 47 – implements an internal call to get the security token from the user’s machine (cookie)

Login.aspx Page UI

The basic login page UI

Login.aspx Page Code Behind

  • Line 8 – The Login page class implements the SecurePage class to implement the methods for our authentication
  • Line 10 - The login button click when the user clicks on the login button the page calls the Login method passing in the values from the login and password text boxes.  If successful the page redirects to a secure page if not displays the user error message

Secure.aspx Code Behind

  • Line 8 – The Secure page class implements the SecurePage class to implement the methods for our authentication
  • Line 10 – The OnPreInit method is overridden so we can call the IsClientValidated method to check if the user has been validated to see the secure page.  If the user has not been validated it redirects to the Login.aspx page otherwise the Secure.aspx page displays as normal

Conclusion

There are other things to consider that are beyond the scope of this article such as using SSL for the login and or secure pages, encrypting persistent data (either cookie or user data), etc.  This by no means is a complete solution but describes the basics in creating custom authentication for an ASP.NET based web site.  This may not be the holy grail of custom authentication but it does offer a few ideas and solutions to implementing your own custom authentication when the built in membership and forms authentication does not fit well with your requirements.  Now you could just have implemented the server storage in a session item and just compared the users cookie value to the session item which would work too but what if your web site is running under a web farm and load balanced?  Unless you use a state server or sql server to store your state you will need a way to persist your authentication in a more permanent or statefull way.

** Note **
The data access layer used is the Microsoft Patterns and Practices Enterprise library which can be downloaded here http://www.codeplex.com/entlib I have encluded only the required assemblies in the download file you may need to download the entire package in order for the samples to run.

Code samples CustomAuthentication.zip (1.49 mb) 

New Year and New Hosting Part Deux

Sigh......
The MX entry for mail.thefrozencoder.ca is screwed up just like my mail.willyd.ca was.

In my last post I gave you my thoughts and gripes about Lunarpages.com, this post is an update to that original post.  I will be adding to it as the story unfolds and as I keep checking mail.thefrozencoder.ca to see if they have fixed the issue completely.  The fact that they don't allow me to manage my own DNS zone is kind of a buzz-kill.  I may end up just purchasing my own DNS services from my registrar ($8 CAN/yr/domain) and be done with it, this way I have complete control.

The Good

  • They offer an alternate SMTP port for ISPs that block outgoing port 25

The Bad

  • Their support staff although courteous read from the script to much and don't investigate issues as much

Here is my abbreviated ticket thread to date on the DNS configuration issue.

Me
I am having issues with my DNS and mail.thefrozencoder.ca is resolving to my web server address, here is the IP info from my pings.  Also mail.thefrozencoder.ca has two IP addresses assigned to it and I am sure that one of them is wrong and please see ticket #XYZ I had the same issue on another domain which had the same DNS issue.

Support
Please answer the following questions (all related to how I have my email client configured)

Me
I give them the info they requested

Support
Please try these settings (one of which is the alternate SMTP port and an alternate mail.* server address to try)

Me
Tried the settings but mail.thefrozencoder.ca still does not work, but the alternate mail.* address does (I now add the output from a DiG showing them that mail.thefrozencoder.ca has two IP addresses assigned to it)

Support
The problem is with your DNS settings. You have two IP addresses assigned to mail.thefrozencoder.ca and extra NS entries which are not needed, you will have to remove them (WTF? didn't I just say that twice already?)

Me
And how do I remove them?  You guys are administrating my DNS for me I am just pointing my domain to your name servers via my registrar.  Are you telling me that I have to get external DNS services for your hosting environment?  If that is the case you probably should have mentioned that when I was signing up.

Support
We can change the mail.thefrozencoder.ca records, I apologize I was referring to the extra DNS entries you will have to remove them (again how am I to change my DNS entries when they manage them?)

Me
Ok please remove the duplicate mail.thefrozencoder.ca and I don't know how the extra DNS entries are showing up since there are only two entries in my registrar which are correct based on what you gave me.  Please advise.

As of 2008-12-29 18:45 (10hrs) after I noticed the issue still exists; mail.thefrozencoder.ca is incorrectly configured as per DiG.

As of 2008-12-30 00:21 (16hrs) after I noticed the issue it has finally been fixed.  Fixed by someone in supoort who actually used DiG and thanked me for noticing the other DNS issues as well (which were fixed too).

New Year and New Hosting

I decided not to renew my hosting (Webhost4life) and decided to give Lunarpages a try.  The reason for my move was not because I had any issues with Webhost4life, I have been with them since 2006 and have had almost zero problems with them over the two years I just found that Lunarpages offered some better features and the initial cost was cheaper than renewing.

During my time with Webhost4life I was signed up under the Advanced Windows Plan which gave me some pretty good options especially being a developer I liked the idea of being able to do more with my account.  Here are some of the features that I liked and the things I didn’t like about my experience.

The Good

  • You can connect to your SQL Server using Enterprise Manager (2000) or Management Studio (2005/2008)
  • No SQL Express (this is a good thing)
  • Browser based SFTP Java applet for uploading to your account
  • Allows you to manage your DNS zone (including adding a SPF record)
  • They utilize DNS effectively; SQL Servers have a DNS entry rather than an IP address as well your mail.yourdomain.com resolves to a mail server and your web mail
  • Simple DB tools for MS SQL Server (backup/restore/etc.)
  • You have an FTP site for your Database (to do backup/restore from)
  • You can override your websites physical root folder anywhere in your hosting folder.  This is good if you want to create a subdomain and not put it in a folder under your primary domain
  • They use two SMTP ports for your mail (the reason for the alternate port is some ISPs block all outgoing on port 25 unless it’s to their own servers)
  • Add-on services are pretty cheap like extra domains and such
  • Support is better than average for responding in a timely manner.  You can set the priority on your ticket from 1 (high) to 5 (low).  I usually used 3 and averaged about a 4 hour response time and they addressed my problems without having to give more info or respond.  It seems that they have only one level of support and each support person can take care of the issue whatever it is.
  • Your sites run under full trust (your own app pool)
  • They use awstats for basic web metrics
  • They have an FTP site for your raw IIS logs (they don’t include cookies in the log)

 The Bad

  • They dropped free WSS (Windows Sharepoint Services) you now have to pay $19 a year for WSS 3.0
  • They dropped the MS SQL Server limit to one DB per domain (adv. plan) (it used to be unlimited when I first signed up, then they went to two only and finally one)
  • Your app pool for ASP.NET recycles often (every 5 min) so your site (if big) will seem like it is constantly reloading/recompiling (this might be the norm for most hosting companies since there are probably a lot of crappy coders out there)
  • A high website/server ratio something like 300 sites on one server, I am not sure if this is the norm or not which explains the 5min app pool recycling
  • Like most hosting providers they never tell you when something is wrong, the server where my SQL DB was scheduled to be replaced (do to hardware issues it was having), I tried to do a backup and it kept failing.  I sent a ticket and only then they told me why the issues
  • They have a support forum but it is pretty unutilized by the users of Webhost4life
  • They rolled their own control panel which looks really unprofessional but it does do what it’s supposed to

All in all I have no real issues with Webhost4life; I found the service to be pretty much what I expected from a shared hosting provider but it was time to try something new and give another company a try.

So far with Lunarpages I had a couple of issues (one almost made me cancel my account over).  When my second domain was setup (willyd.ca) right from the start the DNS settings for my MX record (mail) was configured wrong, it was pointing to two separate IP addresses (the web server and mail server) and since the order of the records was web server first I would often not be able to check my mail (using Outlook) since it would try to access the web server (which would not work duh, it’s a web server).  It took me 2 full days to have the problem fixed, mostly because the ticket had to be escalated from a tier one tech support to tier two.  They second issue had to do with the hosting environment and some permissions which took less time to fix probably because the tier one could do that kind of stuff.  Here are some of my initial thoughts for the service so far.

The Good

  • Web mail is SmarterMail (same as Webhost4life)
  • The control panel is Plesk (pretty cool control panel for Windows hosting)
  • There is a backup solution for your domain that you can configure and schedule
  • Windows Hosting allows for 2 unique domains under your account for your initial price
  • Account information (disk space used/bandwidth used/etc.) is all visible from the "home" control panel)
  • Unlimited SQL Server DB’s per account (probably limited by the actual amount of hosting space you get)
  • Their forum support is pretty impressive and the community actually uses it
  • Lots of reports that can be emailed to you on a schedule (part of Plesk)

 The Bad

  • They don’t inform you that they use DNS for databases rather than IP address and no mail.yourdomain.com to web mail (no big deal but it looks cooler)
  • Support is a level system, level ones are pretty much useless and the higher you go the longer it takes to get anything fixed
  • No DNS zone edits under Windows hosting
  • The help files seem to be out of date in the control panel and reference Linux Hosting items more than Windows so the info might not be valid
  • Some services you log into are not SSL (I even checked the form post action)
  • No SQL Server Ent. / Management Studio support; they use MyLittleAdmin (which is pretty much the same interface)
  • I am not sure about this one but it would seem that both domains (under your account if setup) run under the same app pool.  That means that one site could bring down your other site if it gets out of control
  • There is a 1% CPU cap on your app pool.  Reading through the forums it seems that if you go over the 1% CPU usage you account can be disabled.  So if your app pool continuously used 1% of the CPU on that server over an undeterminate time they can axe your site(s).  I guess as long as it just does the burst usage then that is ok (not that my sites will chew up that much CPU)

For the ongoing story of my DNS issues with Lunarpages see New Year and New Hosting Part Deux

Random error messages

"Application popup: Windows - Delayed Write Failed : Windows was unable to save all the data for the file 'xxx'. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere."
I had this error recently during my nightly backups.  I narrowed it down to my server’s 10/100/1000Mbps LAN card.  Since my network is only 10/100Mbps I forced the speed and duplex to 100Mpbs and Full Duplex rather than Auto Negotiate.  After I did this the error went away and my network latency issues got better.

"You must use the Role Management Tool to install or configure Microsoft .NET Framework 3.0 x64 (or x86) (Windows 2008)"
Under Windows 2008 .NET is considered a Feature; to install open up the Server Manager and highlight Features -> Add Feature it is at the top of the list.  To install the .NET 3.5 framework use the installer method.

The Hyper-V n00b - Child Partition - OpenBSD 4.4

So far I have really zero issues with installing Windows based OS's (once each one had the latest service pack) as child partition, what about unsupported OS's.  I figured that I would need to install a familiar OS that I have lots of experience with and I would like to work with it some more, especially from the firewall side of things again.  Of course my choice was crystal clear; OpenBSD.  Now I wondered just how well the "virtual hardware" would work, I have installed OpenBSD in Virtual PC which worked pretty well so what do I have to loose?

Since you can mount an ISO to your CD/DVD drive when creating a new virtual machine I downloaded the install44.iso for OpenBSD and selected it and started the VM.  From what I can see the only thing that wasn't supported was the Microsoft VGA adapter.  But since it probably supports the VGA standard it still worked.  So after about 5 minutes of installing and configuring I rejoiced to see the following screen.

Now of course I will need to run further tests but it shows promise.  Adding another NIC and the possibility of having this as my firewall to the internet has some pretty strong advantages.  I only hope that I still have my old config files kicking around for my last firewall but I am sure that I will manage.

Of course things like the shutdown actions in the toolbar do not work and since there are no Integration Services there is no Heartbeat monitor but hey, it's working none the less.  I also noticed that the time was 4 hours out which I am not sure about.  Maybe OpenBSD cannot read the timing from the virtual BIOS or whatever it used/called.  I will have to investigate that one.  Otherwise I can enable the OpenNTPD dameon just to make sure that the time is always in synch.