ASP.NET 4.5 – Security Improvement

David, Max| 2014-04-08 HostUCan, Web Development, ASP.NET, Tutorials Comments( 0 )

Security Improvement is always important and now the .NET 4.5 framework was launched a few months ago, it has a variety of improvements that’s included in the security area.  For benefits from these improvements you'll need to do a few adjustments to your application configuration file.

Important Improvements in ASP.NET 4.5

  • There are significant Cryptographic Improvements in ASP.NET 4.5.
  • There are changes to the ASP.NET request validation; it now supports deferred (lazy) validation, as well as giving the option to fetch data invalidated.
  • Windows Identity Foundation is now included in the framework, referred to as WIF 4.5.
  • The AntiXSS library is included in the framework.

Switching to 4.5

Take into consideration that it’s not enough to install the 4.5 framework and modify the ‘Target framework’ accordingly.  You will see that a comment will appear in the web.config file like as shown below:

asp.net-security-aspbest

 

NOTE: It’s very important to set the ‘targetframework’ in your configuration file, otherwise your application will run in ‘4.0’ mode.

Enabling AntiXss

Set the AntiXss library as the default encoder; this is easily done in the httpRuntime configuration element such as:

asp.net2-security-aspbest

 

NOTE: There can be disadvantages of this; as AntiXss takes a white list approach to encoding, therefore meaning that there may be characters that weren’t encoded before, that will be encoded by AntiXss, so be aware.

Request Validation

Lazy validation was introduced in ASP.NET 4.5 and it’s enabled regardless of how you set the ‘requestValidationMode’ after you’ve installed the 4.5 framework.  If you need access to any request parameters invalidated, you will have to set the validation mode to ‘4.5’ such as below:

asp.net3-security-asp-best

 

This will enable access to the invalidated collections of parameters i.e.

asp.net4-security-asp-best

 

This is actually a better approach rather than disabling the request validation altogether.

Windows Identify Foundation 4.5

There are several changes since WIF is part of the framework.  It shouldn’t take long to upgrade, there’s excellent article on MSDN for Migrating an application built using WIF 3.5 – 4.5.  There are two changes to the WIF, the first one is:

1. MachineKeySessionSecurityTokenHandler - WIF now includes a MachineKeySessionSecurityTokenHandler which encrypts & MAC’s WIF cookies based on the machine key.

2. requestValidationMode – You don’t have to set up the requestValidationMode  to 2.0 to cope with the request validation exceptions on the SignInResponseMessage’s posted from an STS.

If you need a hosting to support ASP.NET 4.5, don't forget to use HostUCan ASP.NET Hosting Search Tool to find one.

Tagged with:

We hope webmasters to share and promote the good articles ,Please click herecontribute

You need to log in to commentLogin|Register

Be the first to comment!