Skip to main content

Professional ASP.NET 2.0 Security, Membership, and Role Management

Professional ASP.NET 2.0 Security, Membership, and Role Management

Stefan Schackow

ISBN: 978-0-471-79969-6

Apr 2006

611 pages

Select type: E-Book

Product not available for purchase


Experienced developers who are looking to create reliably secure sites with ASP.NET 2.0 will find that Professional ASP.NET 2.0 Security, Membership, and Role Management covers a broad range of security features including developing in partial trust, forms authentication, and securing configuration. The book offers detailed information on every major area of ASP.NET security you’ll encounter when developing Web applications.

You’ll see how ASP.NET 2.0 version contains many new built-in security functions compared to ASP.NET 1.x such as Membership and Role Manager, and you’ll learn how you can extend or modify various features. The book begins with two chapters that walk you through the processing ASP.NET 2.0 performs during a web request and the security processing for each request, followed by a detailed explanation of ASP.NET Trust Levels.

With this understanding of security in place, you can then begin working through the following chapters on configuring system security, forms authentication, and integrating ASP.NET security with classic ASP including integrating Membership and Role Manager with classic ASP. The chapter on session state looks at the limitations of cookieless session identifiers, methods for heading off session denial of service attacks, and how session state is affected by trust level. After the chapter explaining the provider model architecture in ASP.NET 2.0 and how it is useful for writing custom security providers you go to the MembershipProvider class and configuring the two default providers in the Membership feature, SqlMembershipProvider and ActiveDirectoryMembershipProvider. You'll see how to use RoleManager to make it easy to associate users with roles and perform checks declaratively and in code and wrap up working with three providers for RoleProvider – WindowsTokenRoleProvider, SqlRoleProvider, and AuthorizationStoreRoleProvider (to work with Authorization Manager or AzMan).

This book is also available as part of the 5-book ASP.NET 2.0 Wrox Box (ISBN: 0-470-11757-5). This 5-book set includes:

  • Professional ASP.NET 2.0 Special Edition (ISBN: 0-470-04178-1)
  • ASP.NET 2.0 Website Programming: Problem - Design - Solution (ISBN: 0764584642 )
  • Professional ASP.NET 2.0 Security, Membership, and Role Management (ISBN: 0764596985)
  • Professional ASP.NET 2.0 Server Control and Component Development (ISBN: 0471793507)
  • ASP.NET 2.0 MVP Hacks and Tips (ISBN: 0764597663)
  • CD-ROM with more than 1000 pages of bonus chapters from 15 other .NET 2.0 and SQL Server(TM) 2005 Wrox books
  • DVD with 180-day trial version of Microsoft(r) Visual Studio(r) 2005 Professional Edition


Chapter 1: Initial Phases of a Web Request.

Chapter 2: Security Processing for Each Request.

Chapter 3: A Matter of Trust.

Chapter 4: Configuration System Security.

Chapter 5: Forms Authentication.

Chapter 6: Integrating ASP.NET Security with Classic ASP.

Chapter 7: Session State.

Chapter 8: Security for Pages and Compilation.

Chapter 9: The Provider Model.

Chapter 10: Membership.

Chapter 11: SqlMembershipProvider.

Chapter 12: ActiveDirectoryMembershipProvider.

Chapter 13: Role Manager.

Chapter 14: SqlRoleProvider.

Chapter 15: AuthorizationStoreRoleProvider.


Code Downloads
Code downloads for this title are available here.
Download code
Code Downloads
Code downloads for this title are available here.
Download code
Download Correction for Chapter 5
ChapterPageDetailsDatePrint Run
114Addition to text
"ReflectionPermission" section, 2nd paragraph, add the following sentence:

You can still use reflection to access methods, members, etc... that would normally be available to public callers. For example, even in Medium trust you can still use reflection to invoke the public methods on a Membership provider.

137Error in Text
3rd paragraph, 1st sentence:

Delete the phrase ", and in fact there is no way to turn this behavior off for no-compile pages."

138Error in Text
1st paragraph, 1st sentence

The phrase "then for compiled pages ASP.NET 2.0"
should be
"then ASP.NET 2.0"

231Error in Text
last paragraph, 1st sentence

Due to a bug in the shipping version of ASP.NET 2.0, forms authentication uses the wrong cookie path when it issues a new cookie based on information from a cross-application redirect. As a result, this sample will not work with cookie paths other than "/". The next section on "Cookie-based SSO Lite" describes the problem on page 237, in the fourth paragraph. The code in this section also shows how to workaround the problem.

237Error in Text
second to last paragraph

Add sentences at the end of the paragraph saying:

This restriction applies specifically to ASP.NET's automatic generation of the ReturnUrl variable. As an alternative to the CustomReturnUrl variable, you could take control of the ReturnUrl variable and programmatically set it to a fully qualified address.

9332Error in Code
Chapter 9, Page 332, top of page, Item #4 missing dot between Configuration and Providers:

Code reads:

Should read:

437Error in Text
fourth paragraph (the last one before the section "Enforcing Custom Password Strength Rules")

should be
in 3 places in this paragraph

437Error in Text
fourth paragraph (the last one before the section "Enforcing Custom Password Strength Rules")

end of 5th line: 40+- should be 39+

From testing this some more with more complex passwords, 38 characters turned out to be the effective upper limit.