How secure is the ASP.NET Membership framework?
Asked Answered
S

3

12

What is the ASP.NET Membership framework's reputation as far as security goes? Are there any typical default configuration settings that are problematic? What best practices are there? Are there any built-in methods to combat things like session hijacking?

Synaesthesia answered 27/7, 2009 at 3:29 Comment(0)
R
5

In regard to best practices, there is a short WIKI called ASP.NET 2.0 Security Inspection Questions that lists security considerations when using a membership provider. It may be of some use?

Rectitude answered 27/7, 2009 at 10:0 Comment(0)
A
2

Omar AL Zabir blogged on some updates he made to the stored procedures that were needed for a high user site implementation. His suggestion is basically to use either

WITH (NOLOCK)

or

SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

before the SELECT queries in the membership stored procedures.

Optimize asp net membership stored procedures for greater speed and scalability

Airdrome answered 27/7, 2009 at 4:34 Comment(2)
nice link, but that addresses performance/scalability moreso than security robustnessSynaesthesia
true.. I was answering the 'best practices' part... On re-reading the question that may have been best practices for security rather than best practice in general... I guess no harm in leaving the answer anyway?Airdrome
C
1

I'm not sure if this is a problem for the ASP.NET Membership bits per se, but don't forget to ensure that there is a secret generated on the server and authenticated on POST so you can be sure that the form post came from your app.

There may be other (better) ways to do this, I'm just sharing what I know

Calgary answered 27/7, 2009 at 4:27 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.