Professional
ASP.NET 3.5 Security, Membership, and
Role Management
with C# and VB
Enhance Your Knowledge
Advance Your Career
Professional ASP.NET 3.5 Security, Membership, and
Role Management
978-0-470-37930-1
As the first book to address ASP.NET 3.5, AJAX, and IIS 7.0 security from
the developer’s point of view, this book begins with a look at the new
features of IIS 7.0 and then goes on to focus on IIS 7.0 and ASP.NET 3.5
integration. You’ll walk through a detailed explanation of the request
life cycle for an ASP.NET application running on IIS 7.0 under the classic
mode, from the moment it enters IIS 7.0 until ASP.NET generates a corre-
sponding response.
Professional ASP.NET 3.5 MVC
978-0-470-38461-9
The ASP.NET 3.5 MVC Framework enables Microsoft developers to
create dynamic data-driven web sites. Packed with real-world examples,
this authoritative guide is written by the Microsoft team behind the
technology and uses a real-world sample application using MVC in order
to explain the tools and technologies that compliment MVC, such as
SubSonic, LINQ, jQuery, and REST.
Professional ASP.NET 3.5 AJAX
978-0-470-39217-1
The ASP.NET AJAX toolkit is an excellent way to immediately start using
AJAX features in applications in that it offers both excitement and enter-
prise appeal to developers. Professional ASP.NET 3.5 AJAX explains how
you can use these features to build amazing Web sites. Coverage of the

client library, the ScriptManager server control, ASP.NET AJAX applica-
tion services and networking, databases and Web services, testing and
debugging, and deploying applications demonstrates how the client and
server need to interact in order to produce a better Web application.
Professional ASP.NET 3.5
978-0-470-18757-9
Professional ASP.NET 3.5 helps the experienced programmer put the latest ASP.NET technologies into action. Greatly expanded
from the original best-selling Professional ASP.NET 2.0, Professional ASP.NET 3.5 covers all the key technologies retained from
2.0 in new depth alongside the hundreds of pages of coverage of the important new 3.5 features. Written by 3 of the most well-
known and influential ASP.NET developers, Professional ASP.NET 3.5 is the book you’ll learn the language from and turn to day
after day as you write Web applications. And as always, Professional ASP.NET 3.5 features language examples in the book and
in the code download in both C# and VB.
Beginning ASP.NET 3.5
978-0-470-18759-3
Imar Spaanjaar’s book for programmers new to ASP.NET 3.5 has been widely praised as a well-organized tome of information
written by a Web developer for Web developers. Throughout the book the author works through the steps of creating an actual,
fully-functional ASP.NET 3.5 Web site. Each chapter builds on skills learned in the previous sections of the book, allowing the
reader to gain confidence working with ASP.NET 3.5 as they progress through the book.
Get more out of
WROX.com
Programmer to Programmer
™
Interact
Take an active role online by participating in
our P2P forums
Wrox Online Library
Hundreds of our books are available online
through Books24x7.com
Wrox Blox
Download short informational pieces and

code to keep you up to date and out of
trouble!
Chapters on Demand
Purchase individual book chapters in pdf
format
Join the Community
Sign up for our free monthly newsletter at
newsletter.wrox.com
Browse
Ready for more Wrox? We have books and
e-books available on .NET, SQL Server, Java,
XML, Visual Basic, C#/ C++, and much more!
Contact Us.

We always like to get feedback from our readers. Have a book idea?
Need community support? Let us know by e-mailing
spine=1.872"
Professional ASP.NET 3.5 Security, Membership,
and Role Management with C# and VB
Introduction xxiii
Chapter 1: Introducing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2: IIS 7.0 and ASP.NET Integrated Mode . . . . . . . . . . . . . . . . . . . . . 29
Chapter 3: HTTP Request Processing in IIS 7.0 Integrated Model . . . . . . . . . 79
Chapter 4: A Matter of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Chapter 5: Configuration System Security. . . . . . . . . . . . . . . . . . . . . . . . . . 223
Chapter 6: Forms Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Chapter 7: Integrating ASP.NET Security with Classic ASP . . . . . . . . . . . . . 373
Chapter 8: Session State 417
Chapter 9: Security for Pages and Compilation 449
Chapter 10: The Provider Model 469

Chapter 11: Membership 519
Chapter 12: SqlMembershipProvider 561
Chapter 13: ActiveDirectoryMembership Provider 639
Chapter 14: Role Manager 691
Chapter 15: SqlRoleProvider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Chapter 16: AuthorizationStoreRoleProvider 763
Chapter 17: Membership and Role Management in ASP.NET AJAX 3.5 791
Chapter 18: Best Practices for Securing ASP.NET Web Applications . . . . . . 823
Index 879
79301ffirs.indd 1 10/7/08 12:39:21 PM
79301ffirs.indd 2 10/7/08 12:39:22 PM
Professional
ASP.NET 3.5 Security, Membership,
and Role Management with C# and VB
79301ffirs.indd 3 10/7/08 12:39:22 PM
79301ffirs.indd 4 10/7/08 12:39:22 PM
Professional
ASP.NET 3.5 Security, Membership,
and Role Management with C# and VB
Bilal Haidar
Stefan Schackow
79301ffirs.indd 5 10/7/08 12:39:22 PM
Professional ASP.NET 3.5 Security, Membership,
and Role Management with C# and VB
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2009 by Wiley Publishing, Inc., Indianapolis, Indiana

Portions based on the previous work Professional ASP.NET 2.0 Security, Membership, and Role Management, by Stefan Schackow,
copyright © 2006 Stefan Schackow, published by Wiley Publishing, Inc.
Published simultaneously in Canada
ISBN: 978-0-470-37930-1
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Library of Congress Cataloging-in-Publication Data
Haidar, Bilal.
Professional ASP.NET 3.5 security, membership, and role management with C# and VB / Bilal Haidar,
Stefan Schackow.
p. cm.
Includes index.
ISBN 978-0-470-37930-1 (paper/website)
1. Active server pages. 2. Microsoft .NET. 3. Computer security. 4. Web site development.
I. Schackow, Stefan, 1970- II. Title.
QA76.9.A25H344 2008
005.8—dc22
2008036129
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, elec-
tronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976
United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of
the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,
10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at />permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to
the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation
warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The
advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the
services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages

arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of
further information does not mean that the author or the publisher endorses the information the organization or Web site may
provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have
changed or disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the United
States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Wrox Programmer to Programmer, and related trade dress are trade-
marks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may
not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc.,
is not associated with any product or vendor mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in elec-
tronic books.
79301ffirs.indd 6 10/7/08 12:39:22 PM
About the Author
Bilal Haidar has a BE in Computer Engineering and a BS in Computer Science with a minor in Math-
ematics from the Lebanese American University (LAU). He has authored several online articles for
www.aspalliance.com, www.code-magazine.com, and www.aspnetpro.com, and is one of the top post-
ers at the ASP.NET forums. Bilal has been a Microsoft MVP in ASP.NET since 2004, as well as a Microsoft
Certified Trainer, and currently works as a senior developer for Consolidated Contractors Company (CCC),
a multinational company whose headquarters are based in Athens, Greece (
www.ccc.gr
). Bilal runs his
own blog, where he shares his technical experience and can be reached at

.
About the Previous Author
Stefan Schackow is a Program Manager on the Web Platform and Tools Team at Microsoft. During
the Visual Studio 2005 cycle, he worked on the new application services stack in Visual Studio 2005
and owned the Membership, Role Manager, Profile, Personalization and Site Navigation features in
ASP.NET 2.0. He also worked on features for Microsoft’s ASP.NET hosting solution. Currently, Stefan

is working and speaking on Silverlight for Microsoft. He is a frequent speaker at Microsoft developer
conferences. Prior to joining the ASP.NET team, Stefan worked as an application development consul-
tant in Microsoft Consulting Services (MCS) with enterprise customers.
79301ffirs.indd 7 10/7/08 12:39:22 PM
79301ffirs.indd 8 10/7/08 12:39:22 PM
Credits
Acquisitions Director
Jim Minatel
Development Editors
John Sleeva
Gus Miklos
Technical Editor
Alexei Gorkov
Production Editor
Kathleen Wisor
Copy Editor
Christopher M. Jones
Editorial Manager
Mary Beth Wakefield
Production Manager
Tim Tate
Vice President and Executive Group Publisher
Richard Swadley
Vice President and Executive Publisher
Joseph B. Wikert
Project Coordinator, Cover
Lynsey Stanford
Compositor
James D. Kramer, Happenstance Type-O-Rama
Proofreader

Publication Services, Inc.
Indexer
Jack Lewis
79301ffirs.indd 9 10/7/08 12:39:22 PM
79301ffirs.indd 10 10/7/08 12:39:22 PM
Acknowledgments
The idea of working on this book started when Jim Minatel, Acquisitions Director at Wrox, emailed me
about updating the previous version of this book. Despite the fact that I have been publishing articles
for magazines and online websites for the past few years, I felt the experience of working on such a
book would be really interesting and unique. Only the days later proved me right and made me proud
that I accepted Jim’s offer.
I spent many hours researching new features and upgrades, writing down everything I learned so
that I could share it with you. Many people supported me and provided me with valuable information,
including Scott Guthrie, Billy Hoffman, Mike Volodarsky, Steve Scofield, and Anil Ruia. (I apologize if I
forgot anyone!)
I want to thank the Wiley publishing family, including Jim Minatel, John Sleeva, Gus Miklos, Carol
Kessel, Katie Wisor, and Ashley Zurcher, as well as technical editor Alexei Gorkov.
I cannot forget the support and flexibility that my company, CCC, represented by my managers and col-
leagues, showed me during all the stages of writing this book. Your support and understanding gave
me enough strength to carry on and finish this book.
Finally, a special thanks to my parents and brother and sister, who followed up with me from the begin-
ning of this work and were even more excited about this book than I myself was.
79301ffirs.indd 11 10/7/08 12:39:22 PM
79301ffirs.indd 12 10/7/08 12:39:22 PM
Contents
Introduction xxiii
Introducing IIS 7.0 Chapter 1: 1
Overview of IIS 7.0 2
Modular Architecture 2
Deployment and Configuration Management 4

Improved Administration 6
ASP.NET Integration 9
Security Improvements 11
Troubleshooting Improvements 12
Application Pools 17
Integrated Mode 18
Classic Mode 18
IIS 7.0 Components 19
Protocol Listeners 19
World Wide Web Publishing Service 19
Windows Process Activation Service 20
IIS 7.0 Modules 22
Unmanaged Modules 22
Managed Modules 25
Summary 26
IIS 7.0 and ASP.NET Integrated Mode 2Chapter 2: 9
Advantages of IIS 7.0 and ASP.NET Integrated Mode 30
IIS 7.0 Integrated Mode Architecture 31
system.webServer Configuration Section Group 34
Migrating ASP.NET Applications to Integrated Mode 42
Extending IIS 7.0 with Managed Handlers and Modules 49
Summary 77
HTTP Request Processing in IIS 7.0 Integrated Model 7Chapter 3: 9
Built-in IUSR Account and IIS_IUSRS Group 80
79301ftoc.indd 13 10/6/08 12:09:54 PM
xiv
Contents
Integrated Mode Per-Request Security 81
Where Is the Security Identity for a Request? 87
Establishing the Operating System Thread Identity 92

The Unified Processing Pipeline 98
Thread Identity and Asynchronous Pipeline Events 100
AuthenticateRequest 110
DefaultAuthentication and Thread.CurrentPrincipal 117
PostAuthenticateRequest 120
AuthorizeRequest 122
PostAuthorizeRequest Through PreRequestHandlerExecute 135
Blocking Requests at the IIS Level 135
Identity during Asynchronous Page Execution 137
EndRequest 143
Summary 144
A Matter of Trust 14Chapter 4: 7
What Is an ASP.NET Trust Level? 148
Configuring Trust Levels 150
Anatomy of a Trust Level 155
A Second Look at a Trust Level in Action 162
Creating a Custom Trust Level 167
Additional Trust Level Customizations 171
LINQ in Medium/Partial Trust ASP.NET Applications 179
The Default Security Permissions Defined by ASP.NET 181
Advanced Topics on Partial Trust 195
Summary 221
Configuration System Security 22Chapter 5: 3
Using the <location /> Element 223
The Path Attribute 225
The allowOverride Attribute 226
Using the lockAttributes 227
Locking Attributes 227
Locking Elements 229
Locking Provider Definitions 231

Managing IIS 7.0 Configuration versus ASP.NET Configuration 233
Extending IIS 7.0 with Managed Modules and Handlers 236
Managing the Native versus Managed Configuration Systems 236
IIS 7.0 Feature Delegation 238
79301ftoc.indd 14 10/6/08 12:09:54 PM
xv
Contents
Reading and Writing Configuration 244
Permissions Required for Reading Local Configuration 247
Permissions Required for Writing Local Configuration 249
Permissions Required for Remote Editing 251
Using Configuration in Partial Trust 253
The requirePermission Attribute 255
Demanding Permissions from a Configuration Class 257
FileIOPermission and the Design-Time API 258
Protected Configuration 259
What Can’t You Protect? 260
Selecting a Protected Configuration Provider 261
Defining Protected Configuration Providers 264
DpapiProtectedConfigurationProvider 265
RsaProtectedConfigurationProvider 267
aspnet_regiis Options 273
Using Protected Configuration Providers in Partial Trust 274
Redirecting Configuration with a Custom Provider 278
Summary 285
Forms Authentication 28Chapter 6: 7
A Quick Recap of Forms Authentication 288
Understanding Persistent Tickets 288
How Forms Authentication Enforces Expiration 291
Securing the Ticket on the Wire 295

How Secure Are Signed Tickets? 295
Encryption Options in ASP.NET 2.0 and 3.5 299
Setting Cookie-Specific Security Options 303
requireSSL 303
HttpOnly Cookies 306
slidingExpiration 308
Using Cookieless Forms Authentication 308
Cookieless Options 310
Replay Attacks with Cookieless Tickets 315
The Cookieless Ticket and Other URLs in Pages 317
Payload Size with Cookieless Tickets 319
Unexpected Redirect Behavior 322
Configuring Forms Authentication Inside IIS 7.0 323
Sharing Tickets between 1.1 and 2.0/3.5 324
Using Forms Authentication Across Different Content Types 326
Leveraging the UserData Property 329
79301ftoc.indd 15 10/6/08 12:09:54 PM
xvi
Contents
Passing Tickets Across Applications 332
Cookie Domain 332
Cross-Application Sharing of Ticket 333
Enforcing Single Logons and Logouts 358
Enforcing a Single Logon 359
Enforcing a Logout 368
Summary 372
Integrating ASP.NET Security with Classic ASP 37Chapter 7: 3
IIS 5 ISAPI Extension Behavior 374
IIS 7.0 Wildcard Mappings 375
Configuring a Wildcard Mapping 376

The Resource Type Setting 382
DefaultHttpHandler 383
Using the DefaultHttpHandler 384
Serving Classic ASP in IIS 7.0 Integration Mode 387
Authenticating Classic ASP with ASP.NET 389
Will Cookieless Forms Authentication Work? 391
Passing Data to ASP from ASP.NET 392
Passing Username to ASP 394
Authenticating Classic ASP with IIS 7.0 Integrated Mode 394
Authorizing Classic ASP with ASP.NET 396
Passing User Roles to Classic ASP 397
Safely Passing Sensitive Data to Classic ASP 398
Full Code Listing of the Hash Helper 407
Authorizing Classic ASP with IIS 7.0 Integrated Mode 410
Passing Data from ASP.NET to Classic ASP in IIS 7.0 Integrated Mode 411
Summary 414
Session State 41Chapter 8: 7
Does Session State Equal Logon Session? 417
Session Data Partitioning 420
Cookie-Based Sessions 421
Sharing Cookies Across Applications 422
Protecting Session Cookies 423
Session ID Reuse 424
Cookieless Sessions 424
Configuring Session State Inside IIS 7.0 426
Session State for Applications Running in IIS 7.0 Integrated Mode 427
Session ID Reuse and Expired Sessions 435
Session ID Denial-of-Service Attacks 437
79301ftoc.indd 16 10/6/08 12:09:54 PM
xvii

Contents
Trust Levels and Session State 439
Serialization and Deserialization Requirements 441
Database Security for SQL Session State 445
Security Options for the OOP State Server 447
Summary 447
Security for Pages and Compilation 44Chapter 9: 9
Request Validation and Viewstate Protection 449
Request Validation 450
Securing viewstate 451
Page Compilation 454
Fraudulent Postbacks 458
Site Navigation Security 462
Summary 468
The Provider Model 46Chapter 10: 9
Why Have Providers? 469
Patterns Found in the Provider Model 472
The Strategy Pattern 472
Factory Method 474
The Singleton Pattern 481
Façade 482
Core Provider Classes 484
System.Configuration.Provider Classes 484
System.Web.Configuration Classes 489
System.Configuration Classes 490
Building a Provider-Based Feature 495
Summary 518
Membership 51Chapter 11: 9
The Membership Class 520
The MembershipUser Class 523

Extending MembershipUser 526
MembershipUser State After Updates 529
Why Are Only Certain Properties Updatable? 534
DateTime Assumptions 536
The MembershipProvider Base Class 537
Basic Configuration 541
User Creation and User Updates 541
Retrieving Data for a Single User 544
79301ftoc.indd 17 10/6/08 12:09:55 PM
xviii
Contents
Retrieving and Searching for Multiple Users 545
Validating User Credentials 545
Supporting Self-Service Password Reset or Retrieval 547
Tracking Online Users 549
General Error-Handling Approaches 550
The “Primary Key” for Membership 552
Supported Environments 554
Using Custom Hash Algorithms 557
Summary 560
SqlMembershipProvider 56Chapter 12: 1
Understanding the Common Database Schema 562
Storing Application Name 562
The Common Users Table 563
Versioning Provider Schemas 566
Querying Common Tables with Views 568
Linking Custom Features to User Records 569
Why Are There Calls to the LOWER Function? 572
The Membership Database Schema 573
SQL Server-Specific Provider Configuration Options 576

Working with SQL Server Express 577
Sharing Issues with SSE 582
Changing the SSE Connection String 583
Database Security 584
Database Schemas and the DBO User 586
Changing Password Formats 588
Custom Password Generation 590
Implementing Custom Encryption 594
Enforcing Custom Password Strength Rules 598
Hooking the ValidatePassword Event 600
Implementing Password History 602
Account Lockouts 618
Implementing Automatic Unlocking 621
Supporting Dynamic Applications 626
Managing an Application’s Users Through IIS 7.0 632
Summary 637
ActiveDirectoryMembershipProvider 63Chapter 13: 9
Supported Directory Architectures 640
79301ftoc.indd 18 10/6/08 12:09:55 PM
xix
Contents
Provider Configuration 642
Directory Connection Settings 642
Directory Schema Mappings 645
Provider Settings for Search 648
MembershipProvider Settings 649
Unique Aspects of Provider Functionality 651
ActiveDirectoryMembershipUser 654
IsApproved and IsLockedOut 655
Using the ProviderUserKey Property 655

Working with Active Directory 657
UPNs and SAM Account Names 659
Container Nesting 660
Securing Containers 662
Configuring Self-Service Password Reset 667
Using ADLDS 675
Installing ADLDS with an Application Partition 677
Using the Application Partition 682
Using the Provider in Partial Trust 685
Summary 690
Role Manager 69Chapter 14: 1
The Roles Class 692
The RolePrincipal Class 695
The RoleManagerModule 707
PostAuthenticateRequest 707
EndRequest 711
Role Cache Cookie Settings and Behavior 712
Working with Multiple Providers during GetRoles 714
RoleProvider 722
Basic Configuration 724
Authorization Methods 724
Managing Roles and Role Associations 725
WindowsTokenRoleProvider 726
Summary 733
SqlRoleProvider 73Chapter 15: 5
SqlRoleProvider Database Schema 735
SQL Server-Specific Provider Configuration Options 737
Transaction Behavior 738
79301ftoc.indd 19 10/6/08 12:09:55 PM
xx

Contents
Provider Security 739
Trust-Level Requirements and Configuration 739
Database Security 745
Working with Windows Authentication 746
Running with a Limited Set of Roles 748
Authorizing with Roles in the Data Layer 755
Supporting Dynamic Applications 757
Managing an Application’s Roles Through IIS 7.0 758
Summary 760
AuthorizationStoreRoleProvider 76Chapter 16: 3
Provider Design 763
Supported Functionality 766
Using a File-Based Policy Store 768
Using a Directory-Based Policy Store 771
Using a Microsoft SQL Server Database-Based Policy Store 780
Working in Partial Trust 783
Using Membership and Role Manager Together 786
Summary 789
Membership and Role Management in ASP.NET AJAX 3.5 79Chapter 17: 1
ASP.NET Membership and Role Services Overview 792
ASP.NET Membership 792
ASP.NET Role Management 794
ASP.NET AJAX Application Services 796
Enabling ASP.NET Applications with ASP.NET AJAX 3.5 796
Enabling ASP.NET Application Services 801
AuthenticationServiceManager and RoleServiceManager Classes 803
Authentication Service 804
Role Service 816
Summary 822

Best Practices for Securing ASP.NET Web Applications 82Chapter 18: 3
Web Application Security Threats Overview 824
Developers Beware 827
Know Your Users 827
Run Applications with Minimum Privileges 829
Validate User Input 829
Secure Cookies 838
79301ftoc.indd 20 10/6/08 12:09:55 PM
xxi
Contents
Secure Database Access 841
SQL Injection Attacks 849
Cross-Site Scripting 853
Cross-Site Request Forgery 857
Handle Exceptions Properly 861
Guard Against Denial-of-Service Threats 866
Secure Data Transmission 872
AJAX-Enabled Application Threats 872
Information Leakage 872
JSON Hijacking 874
Amplified Cross-Site Scripting 876
Summary 878
Index 879
79301ftoc.indd 21 10/6/08 12:09:55 PM
79301ftoc.indd 22 10/6/08 12:09:55 PM
Introduction
This book covers security topics on a wide range of areas in ASP.NET 2.0 and ASP.NET 3.5. It starts with
an introduction to Internet Information Services 7.0 (IIS 7.0) and then explains in detail the new IIS 7.0 Inte-
grated mode of execution. Next is detailed coverage of how security is applied when an ASP.NET appli-
cation starts up and when a request is processed in the newly introduced integrated request-processing

pipeline. The book then branches out to cover security information for features such as trust levels, forms
authentication, session state, page security, and configuration system security. You will also see how you
can benefit from the IIS 7.0 Integrated mode to make use of ASP.NET features to handle non-managed or
native requests such as classic ASP due to the fact that ASP.NET and IIS 7.0 join efforts to form an inte-
grated request-processing pipeline to handle requests. Over the course of these topics, you will gain a
solid understanding of many of the less publicized security features in ASP.NET 2.0 and ASP.NET 3.5.
The book switches gears in Chapter 10 to address two security services in ASP.NET 2.0 and ASP.NET 3.5:
Membership and Role Manager. You start out learning about the provider model that underlies both
of these features. Then you get a detailed look at the internals of both features, as well as the SQL- and
Active Directory-based providers included with them. After reading through these topics, you will have
a thorough background on how you can work with those providers and how you can extend them in
your applications. The discussion about the ASP.NET features continues, with Chapter 17 dedicated to
the ASP.NET AJAX 3.5 security integration with ASP.NET 3.5, showing how to authenticate/authorize
users with JavaScript code written on the client-side.
Finally, the book closes with a chapter on the best practices ASP.NET developers should follow to pro-
tect their ASP.NET applications from malicious attacks.
Who This Book Is For
This book is intended for developers who already have a solid understanding of ASP.NET 1.1 and
ASP.NET 2.0 security concepts in the area of forms authentication, page security, and website autho-
rization. Where the book addresses functionality such as Membership and Role Manager, it assumes
that you have already used these features and have a good understanding of the general functionality
provided by both of them. It is also assumed that you have already worked with ASP.NET AJAX 3.5.
This book does not rehash widely available public information on various features or API reference
documentation.
Instead, you will find that the book has been written to “peel back the covers” of various ASP.NET
security features so that you can gain a much deeper understanding of the security options available to
you. The book focuses on explaining the new IIS 7.0 and its Integrated mode of execution, showing the
importance of this new mode and how ASP.NET applications benefit from it. The book also addresses
lesser known security functionality such as ASP.NET trust levels so that you can take advantage of
these approaches in your own applications.

If you are looking for an overview on IIS 7.0 and its unified/integrated request-processing pipeline, you
will find Chapters 1 and 2 useful. If you are seeking a deep dive on general ASP.NET 2.0 and ASP.NET 3.5
79301flast.indd 23 10/6/08 12:06:26 PM