Reviewing Code for Authentication

Introduction
“Who are you?” Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.

Depending on your requirements, there are several available authentication mechanisms to choose from. If they are not correctly chosen and implemented, the authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.

Authentication
In the .NET, there is Authentication tags in the configuration file.

The  element configures the authentication mode that your applications use.



The appropriate authentication mode depends on how your application or Web service has been designed. The default Machine.config setting applies a secure Windows authentication default as shown below.

 authentication Attributes:mode="[Windows|Forms|Passport|None]" 



 Forms Authentication Guidelines  To use Forms authentication, set mode=“Forms” on the element. Next, configure Forms authentication using the child element. The following fragment shows a secure authentication element configuration:

            Sliding session lifetime

Use the following recommendations to improve Forms authentication security:
 * Partition your Web site.
 * Set protection=“All”.
 * Use small cookie time-out values.
 * Consider using a fixed expiration period.
 * Use SSL with Forms authentication.
 * If you do not use SSL, set slidingExpiration = “false”.
 * Do not use the element on production servers.
 * Configure the  element.
 * Use unique cookie names and paths.

For classic ASP pages, authentication is usually performed manually by including the user information in session variables after validation against a DB, so you can look for something like: Session ("UserId") = UserName Session ("Roles") = UserRoles