Securing ASP.NET Websites

This isn't writing by an Expert who has created alot websites and gone through hacks and etc... I havnt still gone through any hazards regarding security of websites..because none of my website is still launched...

So begin with..how i thought about it and why its considered..??
On starting my Final Year Project after long considerations and ideas...selected Web Based Human Resource Management System (i named it FAMe WHRMS).. then analyzed alot of these type of online WHRMS systems and also visited some Organizations that were using Desktop Based HRMS...so it was startingly difficult to think of a WHRMS without having a look on a running WHRMS..
I went through alot of websites for ideas and got useful info to start with..
and seniors guided me alot.....
So while i was developing the Database for this website..i havnt considered security issues in starting...when knew that for any Organization the Data and info is most critical and Authentication and Authorization to Website is a real challenging and most important issue to consider..

So considering security with Database perspective firstly i divided the User's Categories for Authorization.. like external(visiting website) and internal users(using and managing and having access to internal Data and Info)..
Then discussed with alot of seniors and went through alot of documentation and decided that User's Tables in database should be different..means that a seperate table is built for Authentication purpose..(tb_webuser_login) in which there were Registered users and Employees(Admin HR Managers and Employees).
The important thing in this table was Role Column....
Role seperates each user in regards of Authorization..and during Authentication took Role value in Session and then for each webpage's PageLoad event..put a check for Role value and Authorized each user accordingly...this will secure the Website and might pe known as Page Level Security..

Another issue came alongwith with respect to Security was Email Verification or Email Authentication....in which a user Signups to my Website but cant Sign-In untill he verifies his Email ID..this is the method mostly used in Sign-Up processes worldwide..when user Siign-ups his temporary data is stored in Temp-User or Temp-Applicant table and he cant sogn-in untilll he verifies email address..
In E-mail verification process i have to use the Querystring property that is used to send info of that particular User and helps in identification of a particular user.
Main issue comes in securing Querystring is that info sent by Appending it to URL seperated by "?" mark..issue is that its being Decrypted and user's info is being Hacked..as done with HOTMAIL....so a gud Encryption Technique is necessary and which is almost 16-bits Encryption and is very hard to decrypt..
Another main issue is using Tiered Approach to secure Website and that is my Next topic..

Comments

Popular Posts