.NET Blog

Free. Cross-platform. Open source. A developer platform for building all your apps.

Security - .NET Blog

Secure ASP.NET ViewState

September 23, 2016 Sep 23, 2016 09/23/16
Jeffrey Fritz
During an appearance on the .NET Rocks podcast last week, a question was raised about securely sending information through ASP.NET ViewState.  I responded to the question by indicating that the typical security concern for web content is not to trust any content submitted from the web, including ViewState.  After that podcast was published, ...

Introducing IdentityServer4 for authentication and access control in ASP.NET Core

September 19, 2016 Sep 19, 2016 09/19/16
Jeffrey Fritz
This is a guest post by Brock Allen and Dominick Baier. They are security consultants, speakers, and the authors of many popular open source security projects, including IdentityServer. Modern applications need modern identity. The protocols used for implementing features like authentication, single sign-on, API access control and federation ...

Get Started with ASP.NET Core Authorization – Part 2 of 2

March 23, 2016 Mar 23, 2016 03/23/16
Jeffrey Fritz
After learning about the new Authorization Policy model in ASP.NET Core, our intrepid reporter Seth Juarez wanted to learn about more complicated ASP.NET Authorization policies.  In the following video, he speaks with ASP.NET Security Analyst Barry Dorrans.  Last time, Barry showed us how to get started with the new ASP.NET Policy model.  ...

Get Started with ASP.NET Core Authorization – Part 1 of 2

March 15, 2016 Mar 15, 2016 03/15/16
Jeffrey Fritz
After learning about Authentication in ASP.NET Core, our intrepid reporter Seth Juarez wanted to dig deeper into the ASP.NET Authorization story.  In the following video, he speaks with ASP.NET Security Analyst Barry Dorrans.  Notes and links from their discussion follow. Authorization verifies that a user is permitted to access...

First Look: Authentication in ASP.NET Core

March 11, 2016 Mar 11, 2016 03/11/16
Jeffrey Fritz
With the coming changes in ASP.NET Core, our friend and intrepid reporter Seth Juarez sat down with ASP.NET Program Manager Pranav Rastogi to discuss the updates and improvements in the new ASP.NET Core authentication system: Here are some of the highlights of their discussion and some sample code to get you started: Pranav gave a quick ...

Farewell, EnableViewStateMac!

September 9, 2014 Sep 9, 2014 09/9/14
levibroderick
The ASP.NET team is making an important announcement regarding the September 2014 security updates. All versions of the ASP.NET runtime 1.1 - 4.5.2 now forbid setting <%@ Page EnableViewStateMac="false" %> and <pages enableViewStateMac="false" />. If you have set EnableViewStateMac="false" anywhere in your application, your ...

Changes to Google OAuth 2.0 and updates in Google middleware for 3.0.0 RC release

July 2, 2014 Jul 2, 2014 07/2/14
suhasbj
This article explains the recent changes made to Google OpenID and OAuth 2.0 along with the corresponding updates to the 3.0.0 RC release of Google OAuth  middleware. Here we will first look at the experience of using Google OAuth middleware in an MVC application with the OWIN 2.1.0 release bits. We will then explain the current changes ...

ASP.NET 4.5.2 and EnableViewStateMac

May 7, 2014 May 7, 2014 05/7/14
levibroderick
Please note: This post is now outdated. See http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx for the most up-to-date information. A few months ago, we posted that we were making changes to the way EnableViewStateMac behaves in ASP.NET. I’ll forego the typical blog post ceremony and cut right to the ...

ASP.NET December 2013 Security Updates

December 10, 2013 Dec 10, 2013 12/10/13
levibroderick
Today is Patch Tuesday, and the ASP.NET team would like to announce that we have two items included in this month’s release. The first is a bulletin affecting certain versions of SignalR; the second is an advisory affecting ASP.NET Web Forms (.aspx) applications. Each item is briefly outlined below. For more information, consult Security...

Cryptographic Improvements in ASP.NET 4.5, pt. 3

October 24, 2012 Oct 24, 2012 10/24/12
levibroderick
Thanks for joining us for the final day of our series on cryptography in ASP.NET 4.5! Up to now, the series has discussed how ASP.NET uses cryptography in general, including how the pipelines are implemented in both ASP.NET 4 and ASP.NET 4.5. We introduced APIs to give developers fuller control over the cryptographic pipeline and to drive ...

Feedback usabilla icon