Security, Authentication, and Authorization with ASP.NET MVC

Security, Authentication, and Authorization

How to make an ASP.NET site more secure, and how to implement authentication and authorization.

ASP.NET Identity
The ASP.NET Identity system is designed to replace the previous ASP.NET Membership and Simple Membership systems. It includes profile support, OAuth integration, works with OWIN, and is included with the ASP.NET templates shipped with Visual Studio 2013.
ASP.NET MVC 5 Identity and Security
Module 3 from ASP.NET MVC 5 Fundamentals. 54 minutes 7 seconds.
Deploy a Secure ASP.NET MVC application with OAuth, Membership and SQL Database
This tutorial shows how to create and deploy a secure ASP.NET MVC 5 app using OAuth, the membership database with SQL data.
MVC 5 App with Facebook, and Google OAuth2 Sign-on
By Rick Anderson|April 3, 2015
This tutorial shows you how to build an ASP.NET MVC 5 web application that enables users to log in using OAuth 2.0 with credentials from an external authentication provider, such as Facebook, Twitt...
Create a secure ASP.NET MVC 5 web app with log in, email confirmation and password reset
By Rick Anderson|March 26, 2015
Shows you how to build an ASP.NET MVC 5 web app with email confirmation and password reset using the ASP.NET Identity membership system.
ASP.NET MVC 5 app with SMS and email Two-Factor Authentication
By Rick Anderson|August 20, 2015
Create ASP.NET MVC 5 web app with Two-Factor Authentication. This tutorial uses Twilo and SendGrid for 2FA, but you can use any SMS and email providers.
Developing ASP.NET Apps with Azure Active Directory
By Rick Anderson|August 14, 2014
Microsoft ASP.NET tools for Azure Active Directory makes it simple to enable authentication for web applications hosted on Azure . You can use Azure Authentication to authenticate Office 365 users...
OWIN and Katana
Katana is a flexible set of components for building and hosting Open Web Interface for .NET (OWIN)-based web applications. The Katana/OWIN documentation includes tutorials that show how to handle authentication and authorization scenarios.
XSRF/CSRF Prevention in ASP.NET MVC and Web Pages
By Rick Anderson|March 14, 2013|Level 300 : Intermediate
Cross-site request forgery (also known as XSRF or CSRF) is an attack against web-hosted applications whereby a malicious web site can influence the interaction between a client browser and a web si...
Preventing Open Redirection Attacks (C#)
By Jon Galloway|February 27, 2014
This tutorial explains how you can prevent open redirection attacks in your ASP.NET MVC applications. This tutorial discusses the changes that have been made in the AccountController in ASP.NET MVC...
MVC 4 Security
This Pluralsight video provides an overview of security practices for an ASP.NET MVC application.
MVC 4 Security - the AllowAnonymous Attribute
This blog post covers many important security considerations in ASP.NET MVC.
Security Extensibility in ASP.NET 4
This whitepaper covers the major ways in which security features in ASP.NET 4 can be customized, including: Encryption options and functionality in the machineKey element, interoperability of ASP.NET 4 forms authentication tickets with ASP.NET 2.0, configuration options to relax automatic security checks on inbound URLs, pluggable request validation, and pluggable encoding for HTML elements, HTML attributes, HTTP headers, and URLs.
Recommended Resources for MVC
See sections on security, membership, authentication. "Securing ASP.NET MVC applications" in the ASP.NET MVC Content Map.

Essential Videos

Microsoft has made it possible for you to enjoy this Pluralsight training free of charge. In addition, you can watch more videos free of charge from Microsoft.