User Credentials File (Users.xml)

  • Article

This application example expects to find an XML file named Users.xml located in the FormsAuth directory. Users.xml is the file that contains the user names and passwords for the users that are authorized to access the Default.aspx file (also located in the FormsAuth directory). Logon.aspx reads the name and password information from this file, and the AddUser process writes name and password information to the file.

This example is provided for illustration only. Storing user names and passwords in a text file is very insecure and could result in passwords being read over the Internet. If you use an XML file or any other text file to store sensitive information, you should consider using a salted hash for the password or another appropriate symmetric encryption technique to make it less vulnerable to attack. In this simple example, the passwords are hashed using the static FormsAuthentication.HashPasswordForStoringInConfigFile method. HashPasswordForStoringInConfigFile is not a salted hash technique and is potentially vulnerable to a dictionary attack, where an attacker attempts to guess passwords by using software to iteratively hash all words in a large dictionary and compare the generated hashes to the hash stored in plain text. You should require your users to choose passwords that are not common words and that contain numbers and nonalphanumeric characters to help prevent dictionary attacks.

You should also apply access control list (ACL) permissions to the file so that only authorized accounts can read it. You could also provide an additional line of defense by removing read permissions to the file in the Microsoft Internet Information Services (IIS) using Internet Service Manager.

To allow ASP.NET to write to the file, grant file write permission to the ASPNET account for IIS 5 or to the Network Service (or other configured) account for IIS 6.

The following example shows the default contents of the Users.xml file. The non-hashed passwords are jchenpw for jchen@contoso.com and Kimpw for Kim@contoso.com.

<Users>
    <Users>
        <UserEmail>jchen@contoso.com</UserEmail>
        <UserPassword>
            BA56E5E0366D003E98EA1C7F04ABF8FCB3753889
        </UserPassword>
    </Users>
    <Users>
        <UserEmail>Kim@contoso.com</UserEmail>
        <UserPassword>
            07B7F3EE06F278DB966BE960E7CBBD103DF30CA6
        </UserPassword>
    </Users>
</Users>

See Also

ASP.NET Web Application Security | Forms Authentication Using an XML Users File