The Internet is a dangerous place! With great regularity, we hear about websites becoming unavailable due to denial of service attacks, or displaying modified (and often damaging) information on their homepages. In other high-profile cases, millions of passwords, email addresses, and credit card details have been leaked into the public domain, exposing website users to both personal embarrassment and financial risk.
The purpose of website security is to prevent these (or any) sorts of attacks. More formally, website security is the act/practice of protecting websites from unauthorized access, use, modification, destruction or disruption.
There are many security Factors are :
Updated Software
It is mandatory to keep your software updated. It plays a vital role in keeping your website secure.
SQL Injection
It is an attempt by the hackers to manipulate your database. It is easy to insert rogue code into your query that can be used to manipulate your database such as change tables, get information or delete data.
Cross Site Scripting (XSS)
It allows the attackers to inject client-side script into web pages. Therefore, while creating a form It is good to endure that you check the data being submitted and encode or strip out any HTML.
Error Messages
You need to be careful about how much information to be given in the error messages. For example, if the user fails to log in the error message should not let the user know which field is incorrect: username or password.
Validation of Data
The validation should be performed on both server side and client side.
Passwords
It is good to enforce password requirements such as of minimum of eight characters, including upper case, lower case and special character. It will help to protect user’s information in long run.
Upload files
The file uploaded by the user may contain a script that when executed on the server opens up your website.
SSL
It is good practice to use SSL protocol while passing personal information between website and web server or database.
WebSecurity Object Reference – Methods
| Method | Description |
| ChangePassword() | Changes the password for a user |
| ConfirmAccount() | Confirms an account using a confirmation token |
| CreateAccount() | Creates a new user account |
| CreateUserAndAccount() | Creates a new user account |
| GeneratePasswordResetToken() | Generates a token that can be sent to a user by email |
| GetCreateDate() | Gets the time the specified membership was created |
| GetPasswordChangeDate() | Gets the date and time when the password was changed |
| GetUserId() | Gets a user ID from a username |
| InitializeDatabaseConnection() | Initializes the web security system (database) |
| IsConfirmed() | Checks if a user is confirmed |
| IsCurrentUser() | Checks if the current user matches a username |
| Login() | Logs the user in by setting a token in the cookie |
| Logout() | Logs the user out by removing the token cookie |
| RequireAuthenticatedUser() | Exits the page if the user is not an authenticated user |
| RequireRoles() | Exits the page if the user is not a part of the specified roles |
| RequireUser() | Exits the page if the user is not the specified user |
| ResetPassword() | Changes a user’s password using a token |
| UserExists() | Checks if a given user exists |
Initializing the WebSecurity Database
You must create or initialize a WebSecurity database before you can use the WebSecurity object in your code.
In the root of your web, create a page (or edit the page ) named _AppStart.cshtml.
Put the following code inside the file:
_AppStart.cshtml
@{
WebSecurity.InitializeDatabaseConnection(“Users”, “UserProfile”, “UserId”, “Email”, true);
}
The code above will run each time the web site (application) starts. It initializes the WebSecurity database.
“Users” is the name of the WebSecurity database (Users.sdf).
“UserProfile” is the name of the database table that contains the user profile information.
“UserId” is the name of the column that contains the user IDs (primary key).
“Email” is the name of the column that contains usernames.
The last parameter true is a boolean value indicating that the user profile and membership tables should be created automatically if they don’t exist, otherwise false.