March 27, 2012
Whitepaper on ASP.NET 4 security extensibility
Just a note that we just posted a whitepaper [PDF] written by the super-smart Stefan Schakow that discusses various ways in which ASP.NET 4 lets you extend security. For example, the paper describes:
- How to specify various encryption algorithms for the
<machineKey> section, including a custom class. (IOW, you can specify custom encryption for cookies, viewstate, etc.) There's now an API to manage custom encryption programmatically as well.
- How to share forms authentication tickets between ASP.NET 2.0 and ASP.NET 4.
- How to customize the security checks that are performed on incoming URLs. The security checks have been made pluggable so that you can use custom code for tasks like checking the length of the URL, checking for invalid or dangerous characters in the URL (for example, you can allows some characters that would be rejected by default), and matching portions of the URL to physical paths.
- How request validation has changed for ASP.NET 4 and how to create a custom request-validation check.
- How to use custom classes to encode HTML markup, headers, and URLs.