Chapter 7
Membership, Authorization, and Security
What's In This Chapter?
Securing your web applications can seem like a chore. It's something you have to do, but not a whole lot of fun. Nobody looks at your application and says, “Wow! Check out how well they secured my personally identifiable information! This programmer rules!” Security is generally something you have to do because you don't want to be caught in an embarrassing security breach.
No, security doesn't sound like a whole lot of fun. Most of the time, when you read a chapter on security it's either underwritten or very overbearing. The good news for you is that we, the authors, read these books, too — a lot of them — and we're quite aware that we're lucky to have you as a reader, and we're not about to abuse that trust. In short, we really want this chapter to be informative because it's very important!
The number one excuse for insecure applications is a lack of information or understanding on the developer's part, and we'd like to change that — but we also realize that you're human and are susceptible to falling asleep. Given that, we'd like to offer you the punch line first, in what we consider to be a critical summary statement of this chapter:
Never, ever trust any data your users give you. Ever.
There's obviously a lot more we can tell you — including how some common attacks work and what they're after. So hang with us — we're going to venture into the minds of your users, and, yes, the people who are going to try to hack your site are your users, too. You have enemies, and they are waiting for you to build this application of yours so they can come and break into it. If you haven't faced this before, it's usually for one of two reasons:
Hackers, crackers, spammers, viruses, malware — they want in to your computer and the data inside it. Chances are that your e-mail inbox has deflected many e-mails in the time that it's taken you to read this. Your ports have been scanned, and most likely an automated worm has tried to find its way into your PC through various operating system holes. These attacks are automated, so they're constantly probing, looking for an open system.
This may seem like a dire way to start this chapter; however, there is one thing that you need to understand straight off the bat: It's not personal. You're just not part of the equation. It's a fact of life that some people consider all computers (and their information) fair game.
Meanwhile, your applications are built with the assumption that only certain users should be able to perform some actions, and no user should ever be able to perform others. There's a radical disconnect between how you hope your application will be used and how hackers hope to abuse it. This chapter explains how to make use of the membership, authorization, and security features in ASP.NET MVC to keep both your users and the anonymous horde of attackers in line.
This chapter starts with a look at how to use the security features in ASP.NET MVC to perform application functions like authorization, then moves on to look at how to handle common security threats. Remember that it's all part of the same continuum, though. You want to make sure that everyone who accesses your ASP.NET MVC application uses it in the way you intended. That's what security is all about.