We have three types of authentication:
1. Form authentication
2. Windows authentication
This has to be declared in web.config file.
What are the authentication methods in .NET?
ASP.NET Authentication Providers and IIS Security
ASP.NET implements authentication using authentication providers, which are code modules that verify credentials and implement other security functionality such as cookie generation. ASP.NET supports the following three authentication providers:
Forms Authentication. Using this provider causes unauthenticated requests to be redirected to a specified HTML form using client side redirection. The user can then supply logon credentials, and post the form back to the server. If the application authenticates the request (using application-specific logic), ASP.NET issues a cookie that contains the credentials or a key for reacquiring the client identity. Subsequent requests are issued with the cookie in the request headers, which means that subsequent authentications are unnecessary.
Passport Authentication. This is a centralized authentication service provided by Microsoft that offers a single logon facility and membership services for participating sites. ASP.NET, in conjunction with the Microsoft® Passport software development kit (SDK), provides similar functionality as Forms Authentication to Passport users.
Windows Authentication. This provider utilizes the authentication capabilities of IIS. After IIS completes its authentication, ASP.NET uses the authenticated identity's token to authorize access.
Security types in ASP/ASP.NET? Different Authentication modes?
How .Net has implemented security for web applications?
How to do Forms authentication in asp.net?
Explain authentication levels in .net ?
Explain autherization levels in .net ?
What is Role-Based security?
A role is a named set of principals that have the same privileges with respect to security (such as a teller or a manager). A principal can be a member of one or more roles. Therefore, applications can use role membership to determine whether a principal is authorized to perform a requested action.
How will you do windows authentication and what is the namespace? If a user is logged under integrated windows authentication mode, but he is still not able to logon, what might be the possible cause for this? In ASP.Net application how do you find the name of the logged in person under windows authentication?
What are the different authentication modes in the .NET environment?
timeout="30" path="/" >
Attribute Option Description
mode Controls the default authentication mode for an application.
Windows Specifies Windows authentication as the default authentication mode. Use this mode when using any form of Microsoft Internet Information Services (IIS) authentication: Basic, Digest, Integrated Windows authentication (NTLM/Kerberos), or certificates.
Forms Specifies ASP.NET forms-based authentication as the default authentication mode.
Passport Specifies Microsoft Passport authentication as the default authentication mode.
None Specifies no authentication. Only anonymous users are expected or applications can handle events to provide their own authentication.
ASP.NET Authentication Providers and IIS Security
ASP.NET implements authentication using authentication providers, which are code modules that verify credentials and implement other security functionality such as cookie generation. ASP.NET ...
How do you specify whether your data should be passed as Query string and Forms (Mainly about POST and GET)
Through attribute tag of form tag.
What is the other method, other than GET and POST, in ASP.NET?
A set of server controls included with ASP.NET that test user input in HTML and Web server controls for programmer-defined requirements. Validation controls perform input checking in server code. If the user is working with a browser that supports DHTML, the validation controls can also perform validation ("EnableClientScript" property set to true/false) using client script.
The following validation controls are available in asp.net:
RequiredFieldValidator Control, CompareValidator Control, RangeValidator Control, RegularExpressionValidator Control, CustomValidator Control, ValidationSummary Control.
Which two properties are there on every validation control?
How do you use css in asp.net?
Within the section of an HTML document that will use these styles, add a link to this external CSS style sheet that
follows this form:
MyStyles.css is the name of your external CSS style sheet.
How do you implement postback with a text box? What is postback and usestate?
Make AutoPostBack property to true
How can you debug an ASP page, without touching the code?
What is SQL injection?
An SQL injection attack "injects" or manipulates SQL code by adding unexpected SQL to a query.
Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password.
Username: ' or 1=1 ---
This would execute the following query against the users table:
select count(*) from users where userName='' or 1=1 --' and userPass=''
How can u handle Exceptions in Asp.Net?
How can u handle Un Managed Code Exceptions in ASP.Net?
Asp.net - How to find last error which occurred?
LastError = Server.GetLastError();
if (LastError != null)
ErrMessage = LastError.Message;
ErrMessage = "No Errors";
Response.Write("Last Error = " + ErrMessage);
How to do Caching in ASP?
A: <%@ OutputCache Duration="60" VaryByParam="None" %>
VaryByParam value Description
none One version of page cached (only raw GET)
* n versions of page cached based on query string and/or POST body
v1 n versions of page cached based on value of v1 variable in query string or POST body
v1;v2 n versions of page cached based on value of v1 and v2 variables in query string or POST body
<%@ OutputCache Duration="60" VaryByParam="none" %>
<%@ OutputCache Duration="60" VaryByParam="*" %>
<%@ OutputCache Duration="60" VaryByParam="name;age" %>
The OutputCache directive supports several other cache varying options
• VaryByHeader - maintain separate cache entry for header string changes (UserAgent, UserLanguage, etc.)
• VaryByControl - for user controls, maintain separate cache entry for properties of a user control
• VaryByCustom - can specify separate cache entries for browser types and version or provide a custom GetVaryByCustomString method in HttpApplicationderived class
What is the Global ASA(X) File?
Any alternative to avoid name collisions other then Namespaces.
A scenario that two namespaces named N1 and N2 are there both having the same class say A. now in another class i ve written
using N1;using N2;
and i am instantiating class A in this class. Then how will u avoid name collisions?
Ans: using alias
Eg: using MyAlias = MyCompany.Proj.Nested;
Which is the namespace used to write error message in event Log File?
What are the page level transaction and class level transaction?
What are different transaction options?
What is the namespace for encryption?
What is the difference between application and cache variables?
What is the difference between control and component?
You ve defined one page_load event in aspx page and same page_load event in code behind how will prog run?
Where would you use an IHttpModule, and what are the limitations of any approach you might take in implementing one?
Can you edit data in the Repeater control? Which template must you provide, in order to display data in a Repeater control? How can you provide an alternating color scheme in a Repeater control? What property must you set, and what method must you call in your code, in order to bind the data from some data source to the Repeater control?
What is the use of web.config? Difference between machine.config and Web.config?
ASP.NET configuration files are XML-based text files--each named web.config--that can appear in any directory on an ASP.NET
Web application server. Each web.config file applies configuration settings to the directory it is located in and to all
virtual child directories beneath it. Settings in child directories can optionally override or modify settings specified in
parent directories. The root configuration file--WinNT\Microsoft.NET\Framework\
default configuration settings for the entire machine. ASP.NET configures IIS to prevent direct browser access to web.config
files to ensure that their values cannot become public (attempts to access them will cause ASP.NET to return 403: Access
At run time ASP.NET uses these web.config configuration files to hierarchically compute a unique collection of settings for
each incoming URL target request (these settings are calculated only once and then cached across subsequent requests; ASP.NET
automatically watches for file changes and will invalidate the cache if any of the configuration files change).
What is the use of sessionstate tag in the web.config file?
Configuring session state: Session state features can be configured via the
What are the different modes for the sessionstates in the web.config file?
Off Indicates that session state is not enabled.
Inproc Indicates that session state is stored locally.
StateServer Indicates that session state is stored on a remote server.
SQLServer Indicates that session state is stored on the SQL Server.
What is smart navigation?
When a page is requested by an Internet Explorer 5 browser, or later, smart navigation enhances the user's experience of the page by performing the following:
• eliminating the flash caused by navigation.
• persisting the scroll position when moving from page to page.
• persisting element focus between navigations.
• retaining only the last page state in the browser's history.
Smart navigation is best used with ASP.NET pages that require frequent postbacks but with visual content that does not change dramatically on return. Consider this carefully when deciding whether to set this property to true.
Set the SmartNavigation attribute to true in the @ Page directive in the .aspx file. When the page is requested, the dynamically generated class sets this property.
In what order do the events of an ASPX page execute. As a developer is it important to undertsand these events?
How would you get ASP.NET running in Apache web servers - why would you even do this?
What tags do you need to add within the asp:datagrid tags to bind columns manually
What base class do all Web Forms inherit from?
How can we create pie chart in asp.net?
Is it possible for me to change my aspx file extension to some other name?
Open IIS->Default Website -> Properties
Select HomeDirectory tab
Click on configuration button
Click on add. Enter aspnet_isapi details (C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll | GET,HEAD,POST,DEBUG)
Open machine.config(C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\CONFIG) & add new extension under
What is AutoEventWireup attribute for ?
What’s the difference between code-based security and role-based security? Which one is better?
Code security is the approach of using permissions and permission sets for a given code to run. The admin, for example, can disable running executables off the Internet or restrict access to corporate database to only few applications. Role-based security most of the time involves the code running with the privileges of the current user. This way the code cannot supposedly do more harm than mess up a single user account. There’s no better, or 100% thumbs-up approach, depending on the nature of deployment, both code-based and role-based security could be implemented to an extent.
How can you work with permissions from your .NET application?
You can request permission to do something and you can demand certain permissions from other apps. You can also refuse permissions so that your app is not inadvertently used to destroy some data.
How can C# app request minimum permissions?
What’s a code group?
A code group is a set of assemblies that share a security context.
What’s the difference between authentication and authorization?
Authentication happens first. You verify user’s identity based on credentials. Authorization is making sure the user only gets access to the resources he has credentials for.
What are the authentication modes in ASP.NET?
None, Windows, Forms and Passport.
Are the actual permissions for the application defined at run-time or compile-time?
The CLR computes actual permissions at runtime based on code group membership and the calling chain of the code.
What is Code Access Security (CAS)?
CAS is the part of the .NET security model that determines whether or not a piece of code is allowed to run, and what resources it can use when it is running. For example, it is CAS that will prevent a .NET web applet from formatting your hard disk.
How does CAS work?
The CAS security policy revolves around two key concepts - code groups and permissions. Each .NET assembly is a member of a particular code group, and each code group is granted the permissions specified in a named permission set.
For example, using the default security policy, a control downloaded from a web site belongs to the 'Zone - Internet' code group, which adheres to the permissions defined by the 'Internet' named permission set. (Naturally the 'Internet' named permission set represents a very restrictive range of permissions.)
Who defines the CAS code groups?
Microsoft defines some default ones, but you can modify these and even create your own. To see the code groups defined on your system, run 'caspol -lg' from the command-line. On my syystem it looks like this:
Level = Machine
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. Honor SkipVerification requests: SkipVerification
1.2. Zone - Intranet: LocalIntranet
1.3. Zone - Internet: Internet
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.6. StrongName - 0024000004800000940000000602000000240000525341310004000003
Note the hierarchy of code groups - the top of the hierarchy is the most general ('All code'), which is then sub-divided into several groups, each of which in turn can be sub-divided. Also note that (somewhat counter-intuitively) a sub-group can be associated with a more permissive permission set than its parent.
How do I define my own code group?
Use caspol. For example, suppose you trust code from www.mydomain.com and you want it have full access to your system, but you want to keep the default restrictions for all other internet sites. To achieve this, you would add a new code group as a sub-group of the 'Zone - Internet' group, like this:
caspol -ag 1.3 -site www.mydomain.com FullTrust
Now if you run caspol -lg you will see that the new group has been added as group 1.3.1:
1.3. Zone - Internet: Internet
1.3.1. Site - www.mydomain.com: FullTrust
Note that the numeric label (1.3.1) is just a caspol invention to make the code groups easy to manipulate from the command-line. The underlying runtime never sees it.
How do I change the permission set for a code group?
Use caspol. If you are the machine administrator, you can operate at the 'machine' level - which means not only that the changes you make become the default for the machine, but also that users cannot change the permissions to be more permissive. If you are a normal (non-admin) user you can still modify the permissions, but only to make them more restrictive. For example, to allow intranet code to do what it likes you might do this:
caspol -cg 1.2 FullTrust
Note that because this is more permissive than the default policy (on a standard system), you should only do this at the machine level - doing it at the user level will have no effect.
Can I create my own permission set?
Yes. Use caspol -ap, specifying an XML file containing the permissions in the permission set. To save you some time, here is a sample file corresponding to the 'Everything' permission set - just edit to suit your needs. When you have edited the sample, add it to the range of available permission sets like this:
caspol -ap samplepermset.xml
Then, to apply the permission set to a code group, do something like this:
caspol -cg 1.3 SamplePermSet (By default, 1.3 is the 'Internet' code group)
I'm having some trouble with CAS. How can I diagnose my problem?
Caspol has a couple of options that might help. First, you can ask caspol to tell you what code group an assembly belongs to, using caspol -rsg. Similarly, you can ask what permissions are being applied to a particular assembly using caspol -rsp.
I can't be bothered with all this CAS stuff. Can I turn it off?
Yes, as long as you are an administrator. Just run:
caspol -s off