15.4. Practical Security Tips
The following list provides some practical security tips.
Although the concept of security is introduced quite late in the chapter, you shouldn't see it as an afterthought. To ensure you create a solid and secure application you should keep security in mind from the very early stages of your web site development. Deciding whether you want to have areas that are only accessible to certain users, and whether you are going to force users into getting an account for your site before they get access is best done as early as possible. The later in the process you introduce these concepts, the more difficulties you'll face when integrating this functionality.
Try to group resources like ASPX pages under folders that represent roles in your system. Take, for example, the Management folder in the Planet Wrox web site. All pages related to the management of your site are packed together in a single folder, making it very easy to block the entire folder with a single <location> element in the web.config file. When the files you want to protect are scattered throughout your web site, you'll need more time to configure the application, and you'll end up with an unclear view of the active security settings.
When you create roles to differentiate between users on your web site, try to limit the number of different roles your system has. You'll find that your system becomes much easier to manage with only a handful of logically grouped roles than with a large number ...
Get Beginning ASP.NET 3.5: In C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
