ASP.NET Interview Questions on web application Security

What is the difference between Authentication and Authorization?
Authentication is the process of identifying users. Authorization is the process of granting access to those users based on identity. Together, authentication and authorization provide the means to keeping your Web application secure from intruders.

What is Anonymous access?
Anonymous access is the way most public Web sites work. Sites containing public information allow anyone to see that information, so they don’t authenticate users. ASP.NET Web applications provide anonymous access to resources on the server by impersonation. Impersonation is the process of assigning a user account to an unknown user.

What is the account that is associated with Anonymous access?
By default, the anonymous access account is named IUSER_machinename. You use that account to control anonymous users’ access to resources on the server.

What is the default user account under which an ASP.NET web application run on a web server?
Under the default settings, ASP.NET uses the ASPNET account to run the Web application. This means that if the application attempts to perform any tasks that are not included in the ASPNET account’s privileges, a security exception will occur and access will be denied.

How do you restrict the access of anonymous users?
You restrict the access of anonymous users by setting Windows file permissions. To be secure, your server must use the Microsoft Windows NT file system (NTFS). The earlier FAT or FAT32 file systems do not provide file-level security.
What are the 3 major ways to authenticate and authorize users within an ASP.NET Web application?
Windows authentication :
Identifies and authorizes users based on the server’s user list. Access to resources on the server is then granted or denied based on the user account’s privileges. This works the same way as regular Windows network security.
Forms authentication : Directs users to a logon Web form that collects user name and password information, and then authenticates the user against a user list or database that the application maintains.
Passport authentication : Directs new users to a site hosted by Microsoft so that they can register a single user name and password that will authorize their access to multiple Web sites. Existing users are prompted for their Microsoft Passport user name and password, which the application then authenticates from the Passport user list.

What is the namespace where all security related classes are present?

What type of authentication can be used for Public Internet Web application?
Anonymous access. This is the common access method for most Web sites. No logon is required, and you secure restricted resources using NTFS file permissions.

What type of authentication can be used for Intranet Web application?
Windows authentication. Windows authentication authenticates network users through the domain controller. Network users have access to Web application resources as determined by their user privileges on the server.

What type of authentication can be used for Private corporate Web application?
Windows authentication. Corporate users can access the Web application using their corporate network user names and passwords. User accounts are administered using the Windows network security tools.

What type of authentication can be used for Commercial Web application?
Forms authentication. Applications that need to collect shipping and billing information should implement Forms authentication to gather and store customer information.

What type of authentication can be used for Multiple commercial Web applications?
Passport authentication. Passport authentication allows users to sign in once through a central authority. The user’s identity is then available to any application using the Passport SDK. Customer information is maintained in a Passport profile, rather than in a local database.

Can you use ASP.NET Authentication with HTM and HTML Files?
The three ASP.NET authentication modes apply to files that are part of the Web application. That includes Web forms (.aspx), modules (.asax), and other resources that are processed through the Web application’s executable. It does not automatically include HTML pages (.htm or .html). Those pages are handled by Internet Information Services (IIS), rather than ASP.NET. If you want to authenticate users who access HTML pages from within your Web application using Windows, Forms, or Passport authentication modes, you must map those files to the ASP.NET executable.

How do map .htm and .html files to the ASP.NET executable using the IIS snap-in?
To map .htm and .html files to the ASP.NET executable using the IIS snap-in, follow these steps:
1. In the IIS snap-in, select the folder containing your Web application, and then choose Properties from the Action menu. IIS displays the Properties dialog box.
2. Click the Home Directory or Virtual Directory tab, and then click Configuration. IIS displays the Application Configuration dialog box, as shown in the diagram below.

3. Click Add. IIS displays the Add/Edit Application Extension Mapping dialog box, as shown in the diagram below.

4. Click Browse, and select the aspnet_isapi.dll file. That file is stored in the Windows Microsoft .NET Framework directory; the path will be something like C:\Windows\Microsoft.NET\Framework\versionnumber\aspnet_isapi.dll.
5. Type .htm in the File Extension box, and click OK.
6. Repeat steps 3 through 5 for the .html file extension. Click OK to close the IIS dialog boxes when you’ve finished.


  1. what is advantage of

  2. ASP.NET is a very valuable tool for programmers and developers as it allows them to build dynamic, rich web sites and web applications.

    1. ASP.NET drastically reduces the amount of code required to build large applications.

    2. With built-in Windows authentication and per-application configuration, your applications are safe and secured.

    3. It provides better performance by taking advantage of early binding, just-in-time compilation, native optimization, and caching services right out of the box.

    4. The ASP.NET framework is complemented by a rich toolbox and designer in the Visual Studio integrated development environment. WYSIWYG editing, drag-and-drop server controls, and automatic deployment are just a few of the features this powerful tool provides.

    5. Provides simplicity as ASP.NET makes it easy to perform common tasks, from simple form submission and client authentication to deployment and site configuration.

    6. The source code and HTML are together therefore ASP.NET pages are easy to maintain and write. Also the source code is executed on the server. This provides a lot of power and flexibility to the web pages.

    7. All the processes are closely monitored and managed by the ASP.NET runtime, so that if process is dead, a new process can be created in its place, which helps keep your application constantly available to handle requests.

    8. It is purely server-side technology so, ASP.NET code executes on the server before it is sent to the browser.

    9. Being language-independent, it allows you to choose the language that best applies to your application or partition your application across many languages.

    10. ASP.NET makes for easy deployment. There is no need to register components because the configuration information is built-in.

    11. The Web server continuously monitors the pages, components and applications running on it. If it notices any memory leaks, infinite loops, other illegal activities, it immediately destroys those activities and restarts itself.

    12. Easily works with ADO.NET using data-binding and page formatting features. It is an application which runs faster and counters large volumes of users without having performance problems

  3. Note that in IIS 7 the request is handled by an integrated pipline and hence authentication/authorization cav be applied to other static resources like htm, image files.

  4. I will propose my thesis project based on IMPLEMENTATION OF FILE
    SHARING SYSTEM in an organization that is in our university for a
    department of Electrical and computer engineering.So i would like to
    gave (submit or attach) a source code for this thesis project.PLEASE
    ATTACH the source code.


If you are aware of any other questions asked in an interview, please post them below. If you find anything missing or wrong, please feel free to correct by submitting the form below.

Disclaimer - Terms of use - Contact Us