Authentication in ASP.NET

Security is a major concern for both application architects and developers. Applications that store sensitive information need to be protected from malicious attacks and from competitors attempting to steal information or intellectual property. When designing a security model for your application, you need to be aware of security requirements from a business perspective and the implications that a chosen security model can have on performance, scalability, and deployment.

Relationship Between IIS and ASP.NET

You should understand the relationship between Internet Information Services (IIS) authentication and the Microsoft® ASP.NET security architecture when designing your application. This will allow you to authenticate your users appropriately and obtain the correct security context within your application. You should note that ASP.NET application security configuration and IIS security configuration are completely independent and can be used independently or in conjunction with each other.

IIS maintains security related configuration settings in the IIS metabase. However, ASP.NET maintains security (and other) configuration settings in XML configuration files. While this generally simplifies the deployment of your application from a security standpoint, the security model adopted by your application will necessitate the correct configuration of both the IIS metabase and your ASP.NET application via its configuration file (Web.config).

The security relationship between IIS and ASP.NET

ASP.NET Authentication Providers and IIS Security

ASP.NET implements authentication using authentication providers, which are code modules that verify credentials and implement other security functionality such as cookie generation. ASP.NET supports the following three authentication providers:

• Forms Authentication. Using this provider causes unauthenticated requests to be redirected to a specified HTML form using client side redirection. The user can then supply logon credentials, and post the form back to the server. If the application authenticates the request (using application-specific logic), ASP.NET issues a cookie that contains the credentials or a key for reacquiring the client identity. Subsequent requests are issued with the cookie in the request headers, which means that subsequent authentications are unnecessary.
• Passport Authentication. This is a centralized authentication service provided by Microsoft that offers a single logon facility and membership services for participating sites. ASP.NET, in conjunction with the Microsoft® Passport software development kit (SDK), provides similar functionality as Forms Authentication to Passport users.
• Windows Authentication. This provider utilizes the authentication capabilities of IIS. After IIS completes its authentication, ASP.NET uses the authenticated identity’s token to authorize access.

In addition to authentication, ASP.NET provides an impersonation mechanism to establish the application thread’s security token. Obtaining the correct token relies upon you configuring IIS authentication, ASP.NET authentication providers, and ASP.NET impersonation settings appropriately. This figure the most likely combinations between IIS authentication and ASP.NET providers.

ASP.NET and IIS security settings matrix

N-Tier Web Applications using ASP.NET 2.0

When .NET Framework was first introduced, it provided excellent features that made the construction of ASP.NET applications a breezy experience. Then the next version of .NET Framework (version 2.0) along with SQL Server 2005 builds on the foundation of the previous versions and introduces some new features that can greatly aid in the design and development of N-Tier ASP.NET 2.0 applications.

Introduction

Designing N-Tier client/server architecture is no less complex than developing two-tier architecture, however the N-Tier architecture, produces a far more flexible and scalable client/server environment. In two-tier architecture, the client and the server are the only layers. In this model, both the presentation layer and the middle layer are handled by the client. N-Tier architecture has a presentation layer and three separate layers – a business logic layer and a data access logic layer and a database layer. The next section discusses each of these layers in detail.

Different Layers of an N-Tier application

In a typical N-Tier environment, the client implements the presentation logic (thin client). The business logic and data access logic are implemented on an application server(s) and the data resides on database server(s). N-tier architecture is typically thus defined by the following layers:

• Presentation Layer: This is a front-end component, which is responsible for providing portable presentation logic. Since the client is freed of application layer tasks, which eliminates the need for powerful client technology. The presentation logic layer consists of standard ASP.NET web forms, ASP pages, documents, and Windows Forms, etc. This layer works with the results/output of the business logic layer and transforms the results into something usable and readable by the end user.
• Business Logic Layer: Allows users to share and control business logic by isolating it from the other layers of the application. The business layer functions between the presentation layer and data access logic layers, sending the client’s data requests to the database layer through the data access layer.
• Data Access Logic Layer: Provides access to the database by executing a set of SQL statements or stored procedures. This is where you will write generic methods to interface with your data. For example, you will write a method for creating and opening a SqlConnection object, create a SqlCommand object for executing a stored procedure, etc. As the name suggests, the data access logic layer contains no business rules or data manipulation/transformation logic. It is merely a reusable interface to the database.
• Database Layer: Made up of a RDBMS database component such as SQL Server that provides the mechanism to store and retrieve data.

Artificial Intelligence with PHP

Humans have long been fascinated with Artificial Intelligence. Online artificial intelligence, often called bots, are all measured against the mother of all online intelligence, A.L.I.C.E. Standing for “Artificial Linguistic Internet Computer Entity,” A.L.I.C.E is a chat bot developed in the mid 90s that is capable of holding intelligent conversation, and giving relevant answers.

A.L.I.C.E. and variations of her, respond to the language AIML (Artificial Intelligence Markup Language) to get instruction about how to “think.” There are several implementations of this in languages such as Java, Ruby, Perl, Python, etc, including one in PHP called Program E.

Program E
Program E is a platform for running artificial intelligence robots. It is written in PHP and uses MySQL for its backend database. Program E runs bots that are written in Artificial Intelligence Markup Language or AIML.

Paul Rydell was the original author of Program E. It has since been worked on by Anne Kootstra and Icomsec. You can find Program E on Sourceforge

Try to chat with A. L. I. C. E.

Compiled PHP Script

PHP script are usually naked, but sometimes we need to capsulating out script for security reason or commercial. There is many way to hide our script, we can use Base 64 Encoding combined with Inflate Compression function and other PHP function that can be reversed. This is the only reason why we need to avoid encrypt the code using PHP function. Every encrypted script need to decrypt first before they run. What should we do is just set a tricky scenario to encrypt and or decrypt back.

I’ve try to using compiled PHP script. I use Bambalam PHP EXE Compiler/Embedder, a light and fast compiler to bundling our PHP script including library, CSS, and external file, except image, sound, and other multimedia file.

There is many way to invoking our compiled script. We can put them into CGI or just execute them using PHP shell execution function (read the PHP Documentation).

We should design a n-Tier PHP application, then assuming we have a web server with PHP, an application server, and a database server. In this case, an application server is used to put our compiled PHP script and external library. Classes wrote in PHP script that we’ve compiled. Some of our class is used to accessing database server and then compiled class script sent back to web server to displaying the result. So here, a web server is used to show user interface.

I think this way is secure enough to hide our PHP script.

Recognize Text & Objects in Graphical Images with PHP

An OCR with PHP ? it doesn’t sounds very common topic for PHP developers, but Andrey Kucherenko from Ukraine have made a very interesting project to realize the first phpOCR. His classes can recognize text in monochrome graphical images after a training phase. The training phase is necessary to let the class build recognition data structures from images that have known characters. The training data structures are used during the recognition process to attempt to identify text in real images using the corner algorithm.

PHPOCR have win the PHPClasses innovation awards of march 2006, and it shows the power of what could be implemented with PHP5.

Certain types of applications require reading text from documents that are stored as graphical images. That is the case of scanned documents.

An OCR (Optical Character Recognition) tool can be used to recover the original text that is written in scanned documents. These are sophisticated tools that are trained to recognize text in graphical images.

This class provides a base implementation for an OCR tool. It can be trained to learn how to recognize each letter drawn in an image. Then it can be used to recognize longer texts in real documents.