Professional
ASP.NET 3.5 Security, Membership, and
Role Management
with C# and VB
Enhance Your Knowledge
Advance Your Career
Professional ASP.NET 3.5 Security, Membership, and
Role Management
978-0-470-37930-1
As the first book to address ASP.NET 3.5, AJAX, and IIS 7.0 security from
the developer’s point of view, this book begins with a look at the new
features of IIS 7.0 and then goes on to focus on IIS 7.0 and ASP.NET 3.5
integration. You’ll walk through a detailed explanation of the request
life cycle for an ASP.NET application running on IIS 7.0 under the classic
mode, from the moment it enters IIS 7.0 until ASP.NET generates a corre-
sponding response.
Professional ASP.NET 3.5 MVC
978-0-470-38461-9
The ASP.NET 3.5 MVC Framework enables Microsoft developers to
create dynamic data-driven web sites. Packed with real-world examples,
this authoritative guide is written by the Microsoft team behind the
technology and uses a real-world sample application using MVC in order
to explain the tools and technologies that compliment MVC, such as
SubSonic, LINQ, jQuery, and REST.
Professional ASP.NET 3.5 AJAX
978-0-470-39217-1
The ASP.NET AJAX toolkit is an excellent way to immediately start using
AJAX features in applications in that it offers both excitement and enter-
prise appeal to developers. Professional ASP.NET 3.5 AJAX explains how
you can use these features to build amazing Web sites. Coverage of the

code to keep you up to date and out of
trouble!
Chapters on Demand
Purchase individual book chapters in pdf
format
Join the Community
Sign up for our free monthly newsletter at
newsletter.wrox.com
Browse
Ready for more Wrox? We have books and
e-books available on .NET, SQL Server, Java,
XML, Visual Basic, C#/ C++, and much more!
Contact Us.
We always like to get feedback from our readers. Have a book idea?
Need community support? Let us know by e-mailing [email protected]
spine=1.872"
Professional ASP.NET 3.5 Security, Membership,
and Role Management with C# and VB
Introduction xxiii
Chapter 1: Introducing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2: IIS 7.0 and ASP.NET Integrated Mode . . . . . . . . . . . . . . . . . . . . . 29
Chapter 3: HTTP Request Processing in IIS 7.0 Integrated Model . . . . . . . . . 79
Chapter 4: A Matter of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Chapter 5: Configuration System Security. . . . . . . . . . . . . . . . . . . . . . . . . . 223
Chapter 6: Forms Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Chapter 7: Integrating ASP.NET Security with Classic ASP . . . . . . . . . . . . . 373
Chapter 8: Session State 417
Chapter 9: Security for Pages and Compilation 449
Chapter 10: The Provider Model 469
Chapter 11: Membership 519

copyright © 2006 Stefan Schackow, published by Wiley Publishing, Inc.
Published simultaneously in Canada
ISBN: 978-0-470-37930-1
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Library of Congress Cataloging-in-Publication Data
Haidar, Bilal.
Professional ASP.NET 3.5 security, membership, and role management with C# and VB / Bilal Haidar,
Stefan Schackow.
p. cm.
Includes index.
ISBN 978-0-470-37930-1 (paper/website)
1. Active server pages. 2. Microsoft .NET. 3. Computer security. 4. Web site development.
I. Schackow, Stefan, 1970- II. Title.
QA76.9.A25H344 2008
005.8—dc22
2008036129
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, elec-
tronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976
United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of
the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,
10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/
permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to
the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation
warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The
advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the
services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages

tant in Microsoft Consulting Services (MCS) with enterprise customers.
79301ffirs.indd 7 10/7/08 12:39:22 PM
79301ffirs.indd 8 10/7/08 12:39:22 PM
Credits
Acquisitions Director
Jim Minatel
Development Editors
John Sleeva
Gus Miklos
Technical Editor
Alexei Gorkov
Production Editor
Kathleen Wisor
Copy Editor
Christopher M. Jones
Editorial Manager
Mary Beth Wakefield
Production Manager
Tim Tate
Vice President and Executive Group Publisher
Richard Swadley
Vice President and Executive Publisher
Joseph B. Wikert
Project Coordinator, Cover
Lynsey Stanford
Compositor
James D. Kramer, Happenstance Type-O-Rama
Proofreader
Publication Services, Inc.
Indexer

Security Improvements 11
Troubleshooting Improvements 12
Application Pools 17
Integrated Mode 18
Classic Mode 18
IIS 7.0 Components 19
Protocol Listeners 19
World Wide Web Publishing Service 19
Windows Process Activation Service 20
IIS 7.0 Modules 22
Unmanaged Modules 22
Managed Modules 25
Summary 26
IIS 7.0 and ASP.NET Integrated Mode 2Chapter 2: 9
Advantages of IIS 7.0 and ASP.NET Integrated Mode 30
IIS 7.0 Integrated Mode Architecture 31
system.webServer Configuration Section Group 34
Migrating ASP.NET Applications to Integrated Mode 42
Extending IIS 7.0 with Managed Handlers and Modules 49
Summary 77
HTTP Request Processing in IIS 7.0 Integrated Model 7Chapter 3: 9
Built-in IUSR Account and IIS_IUSRS Group 80
79301ftoc.indd 13 10/6/08 12:09:54 PM
xiv
Contents
Integrated Mode Per-Request Security 81
Where Is the Security Identity for a Request? 87
Establishing the Operating System Thread Identity 92
The Unified Processing Pipeline 98
Thread Identity and Asynchronous Pipeline Events 100

Managing the Native versus Managed Configuration Systems 236
IIS 7.0 Feature Delegation 238
79301ftoc.indd 14 10/6/08 12:09:54 PM
xv
Contents
Reading and Writing Configuration 244
Permissions Required for Reading Local Configuration 247
Permissions Required for Writing Local Configuration 249
Permissions Required for Remote Editing 251
Using Configuration in Partial Trust 253
The requirePermission Attribute 255
Demanding Permissions from a Configuration Class 257
FileIOPermission and the Design-Time API 258
Protected Configuration 259
What Can’t You Protect? 260
Selecting a Protected Configuration Provider 261
Defining Protected Configuration Providers 264
DpapiProtectedConfigurationProvider 265
RsaProtectedConfigurationProvider 267
aspnet_regiis Options 273
Using Protected Configuration Providers in Partial Trust 274
Redirecting Configuration with a Custom Provider 278
Summary 285
Forms Authentication 28Chapter 6: 7
A Quick Recap of Forms Authentication 288
Understanding Persistent Tickets 288
How Forms Authentication Enforces Expiration 291
Securing the Ticket on the Wire 295
How Secure Are Signed Tickets? 295
Encryption Options in ASP.NET 2.0 and 3.5 299

Using the DefaultHttpHandler 384
Serving Classic ASP in IIS 7.0 Integration Mode 387
Authenticating Classic ASP with ASP.NET 389
Will Cookieless Forms Authentication Work? 391
Passing Data to ASP from ASP.NET 392
Passing Username to ASP 394
Authenticating Classic ASP with IIS 7.0 Integrated Mode 394
Authorizing Classic ASP with ASP.NET 396
Passing User Roles to Classic ASP 397
Safely Passing Sensitive Data to Classic ASP 398
Full Code Listing of the Hash Helper 407
Authorizing Classic ASP with IIS 7.0 Integrated Mode 410
Passing Data from ASP.NET to Classic ASP in IIS 7.0 Integrated Mode 411
Summary 414
Session State 41Chapter 8: 7
Does Session State Equal Logon Session? 417
Session Data Partitioning 420
Cookie-Based Sessions 421
Sharing Cookies Across Applications 422
Protecting Session Cookies 423
Session ID Reuse 424
Cookieless Sessions 424
Configuring Session State Inside IIS 7.0 426
Session State for Applications Running in IIS 7.0 Integrated Mode 427
Session ID Reuse and Expired Sessions 435
Session ID Denial-of-Service Attacks 437
79301ftoc.indd 16 10/6/08 12:09:54 PM
xvii
Contents
Trust Levels and Session State 439

Why Are Only Certain Properties Updatable? 534
DateTime Assumptions 536
The MembershipProvider Base Class 537
Basic Configuration 541
User Creation and User Updates 541
Retrieving Data for a Single User 544
79301ftoc.indd 17 10/6/08 12:09:55 PM
xviii
Contents
Retrieving and Searching for Multiple Users 545
Validating User Credentials 545
Supporting Self-Service Password Reset or Retrieval 547
Tracking Online Users 549
General Error-Handling Approaches 550
The “Primary Key” for Membership 552
Supported Environments 554
Using Custom Hash Algorithms 557
Summary 560
SqlMembershipProvider 56Chapter 12: 1
Understanding the Common Database Schema 562
Storing Application Name 562
The Common Users Table 563
Versioning Provider Schemas 566
Querying Common Tables with Views 568
Linking Custom Features to User Records 569
Why Are There Calls to the LOWER Function? 572
The Membership Database Schema 573
SQL Server-Specific Provider Configuration Options 576
Working with SQL Server Express 577
Sharing Issues with SSE 582

Container Nesting 660
Securing Containers 662
Configuring Self-Service Password Reset 667
Using ADLDS 675
Installing ADLDS with an Application Partition 677
Using the Application Partition 682
Using the Provider in Partial Trust 685
Summary 690
Role Manager 69Chapter 14: 1
The Roles Class 692
The RolePrincipal Class 695
The RoleManagerModule 707
PostAuthenticateRequest 707
EndRequest 711
Role Cache Cookie Settings and Behavior 712
Working with Multiple Providers during GetRoles 714
RoleProvider 722
Basic Configuration 724
Authorization Methods 724
Managing Roles and Role Associations 725
WindowsTokenRoleProvider 726
Summary 733
SqlRoleProvider 73Chapter 15: 5
SqlRoleProvider Database Schema 735
SQL Server-Specific Provider Configuration Options 737
Transaction Behavior 738
79301ftoc.indd 19 10/6/08 12:09:55 PM
xx
Contents
Provider Security 739

Developers Beware 827
Know Your Users 827
Run Applications with Minimum Privileges 829
Validate User Input 829
Secure Cookies 838
79301ftoc.indd 20 10/6/08 12:09:55 PM
xxi
Contents
Secure Database Access 841
SQL Injection Attacks 849
Cross-Site Scripting 853
Cross-Site Request Forgery 857
Handle Exceptions Properly 861
Guard Against Denial-of-Service Threats 866
Secure Data Transmission 872
AJAX-Enabled Application Threats 872
Information Leakage 872
JSON Hijacking 874
Amplified Cross-Site Scripting 876
Summary 878
Index 879
79301ftoc.indd 21 10/6/08 12:09:55 PM
79301ftoc.indd 22 10/6/08 12:09:55 PM
Introduction
This book covers security topics on a wide range of areas in ASP.NET 2.0 and ASP.NET 3.5. It starts with
an introduction to Internet Information Services 7.0 (IIS 7.0) and then explains in detail the new IIS 7.0 Inte-
grated mode of execution. Next is detailed coverage of how security is applied when an ASP.NET appli-
cation starts up and when a request is processed in the newly introduced integrated request-processing
pipeline. The book then branches out to cover security information for features such as trust levels, forms
authentication, session state, page security, and configuration system security. You will also see how you

79301flast.indd 23 10/6/08 12:06:26 PM