The first line of defense in each application is a password. Inadequate storage can result in catastrophic breaches. If used properly, ASP.NET Core Identity provides a safe, industry standard solution.

How Passwords Are Stored in ASP.NET Core?
Passwords are stored by ASP.NET Core Identity using:

• The hashing algorithm PBKDF2
• Per-user salt at random
• Over 10,000 iterations
• IdentityV3 password hash is a secure format.

This guarantees that no two passwords result in the same hash.

Never Store Plain Text Passwords
Example of what not to do:
user.Password = model.Password; //Insecure way of storing password

If your database gets leaked, all passwords are exposed.

Use Identity Password Hasher
ASP.NET Core Identity automatically hashes passwords:
await _userManager.CreateAsync(user, model.Password);

If you're building a custom user system:
var hashedPassword = _passwordHasher.HashPassword(user, password);

Verification
_passwordHasher.VerifyHashedPassword(user, hashedPassword, providedPassword);

Password Salting
Salt is a random string added before hashing to prevent:

• Rainbow table attacks
• Hash collisions

ASP.NET Core Identity generates salt automatically. No need to manage it yourself.

Password Peppering
Pepper is a secret stored outside the DB (in environment variables / Key Vault). It’s an optional extra security.

Example
string pepper = config["PasswordPepper"];
string passwordWithPepper = password + pepper;
var hash = _passwordHasher.HashPassword(user, passwordWithPepper);

Use only in custom implementations—not required for Identity. 

Password Strength Requirements
Configure password policy:
builder.Services.Configure<IdentityOptions>(options =>
{
    options.Password.RequireDigit = true;
    options.Password.RequireLowercase = true;
    options.Password.RequireUppercase = true;
    options.Password.RequiredLength = 8;
});

Force Users to Change Password Regularly
Store last password change date and enforce:
if(user.LastPasswordChangeDate < DateTime.UtcNow.AddMonths(-3))
{
    return Redirect("/Account/ForceChangePassword");
}

Prevent Password Reuse
Store password history hashes:
var oldHashes = await _db.PasswordHistory
    .Where(x => x.UserId == user.Id)
    .Select(x => x.HashedPassword)
    .ToListAsync();

Reject if match
if(_passwordHasher.VerifyHashedPassword(user, oldHash, newPassword)
   != PasswordVerificationResult.Failed)
{
    return "Password already used.";
}

Enable Email Confirmation
Enable email confirmation so only users with a valid email address can activate their account. This also prevents attackers from registering fake accounts.

Use HTTPS Everywhere
Always force to use HTTPS so that passwords and login data stay encrypted and safe while being sent between the user and the server.
app.UseHttpsRedirection();

Conclusion
Storing passwords securely requires:

• Strong hashing (PBKDF2)
• Salt (built-in)
• Optional pepper
• Strong password policy
• HTTPS
• Avoiding reuse
• Periodic changes

ASP.NET Core Identity already does most of the heavy lifting use it!

Microsoft's cutting-edge, quick, cross-platform, and open-source framework for creating a wide range of applications, from web apps and APIs to console apps and cloud-native microservices, is called.NET Core (now a part of the.NET 5+ unified platform). For novices who wish to comprehend what.NET Core is, how it functions, and the structure of an actual ASP.NET Core project, this article provides the most straightforward explanation of the framework.

1. What is .NET Core?
.NET Core is Microsoft’s next-generation application development framework, built to overcome the limitations of the old .NET Framework.

Why was .NET Core created?
The old .NET Framework could run only on Windows, was heavy, and was not suitable for cloud, containers, and modern architecture.

.NET Core solves all of these issues.

Key Features of .NET Core
1. Cross-Platform
You can develop and run apps on:

• Windows
• Linux
• macOS

You can host apps on IIS, Apache, Nginx, Kestrel, Docker, or the cloud.

2. Open Source

• Available on GitHub
• Anyone can read or contribute to the source code
• Community-driven improvements

3. High Performance
One of the fastest web frameworks in the world
Handles more traffic with less hardware
Perfect for APIs, enterprise apps, and large-scale cloud systems.

4. Lightweight & Modular
You install only what you need using NuGet packages, which makes applications fast and optimized.

5. Built-in Dependency Injection
Dependency Injection (DI) is built into the framework — no need for third-party libraries.

DI makes apps:

• Cleaner
• Easier to test
• More modular

6. Regular Updates
Microsoft releases new versions every year, including LTS (Long-Term Support) versions for stability.

2. ASP.NET vs ASP.NET Core — What’s the Difference?
ASP.NET Core is a complete redesign of ASP.NET — not just a small upgrade.

3. Understanding .NET Core Project Structure

When you create a new ASP.NET Core project, you get several important files and folders. Each plays a special role.
3.1 Program.cs

This is the entry point of your application.

What happens here?
Creates and configures the web host

• Registers services (Database, Logging, Authentication)
• Defines the middleware pipeline
• Maps controllers/endpoints

Think of Program.cs as the “main switchboard” that controls your entire app.

3.2 wwwroot Folder
Everything inside this folder is public.

Used for:

• CSS files
• JavaScript
• Images
• Bootstrap files

A browser can directly access these files using URLs.
wwwroot = Your public website folder.

3.3 Controllers Folder
Controllers:
Receive HTTP requests
Run logic
Return responses (JSON, HTML, etc.)

Example actions:

• GET → Read data
• POST → Create data
• PUT → Update data
• DELETE → Remove data

Controllers are like the reception desk of your app.

3.4 appsettings.json
This is your configuration file.

Used for:

• Database connection strings
• API keys
• Logging settings

Email settings
You can also have:
appsettings.Development.json
appsettings.Production.json
appsettings.json is the “control panel” of your project.

3.5 Other Common Folders
Services
Contains business logic.

Data
Contains:

• DbContext
• Migrations
• Entities

Repositories
Handles database CRUD operations.

DTOs
Used to transfer data safely.

These folders are like the “kitchen and back office.”
They do all the behind-the-scenes work.

4. What is Middleware?
Middleware is the heart of ASP.NET Core.
It is a chain of components that process every request and response.

How Middleware Works?
Request → Middleware 1 → Middleware 2 → Middleware 3 → Controller → Response → Back through same middlewares

Key Points About Middleware

• Runs one-by-one in the order you configure.
• Can modify request or response.
• Can stop the request early (called short-circuiting).
• Used for Logging, Authentication, Routing, Error Handling, etc.

Understanding the Complete Request Pipeline
Let’s break down each stage in the simplest way.

1. Request
When the user sends a request:
Method: GET / POST / PUT / DELETE

URL: /api/products/5

Headers: Auth token, content type

Body: JSON data (for POST/PUT)

2. Logging Middleware
Tracks

• Which URL was called
• Who called
• How long did the request take
• What was the final status code

Useful for

• Debugging
• Performance monitoring
• Auditing

3. Routing
Matches URL → Correct controller action.

Without routing, the application does not know where to send a request.

4. Authentication
Authentication answers:
“Who are you?”

Examples

• JWT Token
• Cookies
• OAuth

If invalid → Later returns 401 Unauthorized

5. Authorization
Authorization answers:
“Are you allowed to do this?”

Example

• Admin-only routes
• Checking user roles
• Checking user claims

If not allowed → 403 Forbidden

6. Controller Execution
Here, the actual processing happens:

• Validating data
• Calling database
• Applying business rules
• Returning response (JSON / HTML)

7. Response
Response goes back through the pipeline and finally returns:

• Status code (200/404/401/403/500)
• Headers
• Body (JSON/HTML)

Why Middleware Order Matters?

• Routing should come before authentication
• Authentication must come before authorization
• Static files should be before MVC
• Error handling needs to be at the top

Incorrect order → Errors like:

• 404 Not Found
• 401 Unauthorized
• Authorization not working

When Things Go Wrong - Quick Fix Guide
401 - Unauthorized
Problem: No identity.
Fix: Check token/cookie + authentication config

403 - Forbidden
Problem: User is known but not allowed.
Fix: Add required roles/claims or change policy

404 - Not Found
Problem: Route not matched.
Fix: Check controller routes and middleware order

Pipeline issues
If things randomly break →
Fix: Ensure correct order:
UseRouting()
UseAuthentication()
UseAuthorization()
MapControllers()

Large files, like films, PDFs, or CAD models, must frequently be efficiently delivered to consumers by modern web apps. ASP.NET Core enables developers to handle HTTP range requests and stream files instead of loading whole files into memory, allowing clients to restart stopped downloads or download files in part. This approach saves memory, improves performance, and enhances the user experience.

1. Comprehending ASP.NET Core File Streaming
The full file is loaded into memory when using conventional file download techniques like File.ReadAllBytes(), which is ineffective for big files.
In contrast, streaming allows clients to begin receiving material while the remainder of the file is still being read because it transmits data in chunks.
For instance, simple file streaming.

[HttpGet("download/{fileName}")]
public async Task<IActionResult> DownloadFile(string fileName)
{
    var filePath = Path.Combine("Files", fileName);

    if (!System.IO.File.Exists(filePath))
        return NotFound("File not found.");

    var stream = new FileStream(filePath, FileMode.Open, FileAccess.Read);
    return File(stream, "application/octet-stream", fileName);
}

Key Points
The file is not fully loaded into memory.
ASP.NET Core handles streaming automatically using FileStreamResult.

Ideal for large media files or document downloads.

2. Supporting Range Requests for Partial Downloads
Modern browsers and video players often request byte ranges instead of entire files to support:

Resumable downloads
Media streaming (e.g., MP4 playback)

Efficient caching
You can manually implement HTTP range handling to support these cases.

Example: Range Request Implementation
[HttpGet("stream/{fileName}")]
public async Task<IActionResult> StreamFile(string fileName)
{
    var filePath = Path.Combine("Files", fileName);

    if (!System.IO.File.Exists(filePath))
        return NotFound();

    var fileInfo = new FileInfo(filePath);
    var fileLength = fileInfo.Length;
    var rangeHeader = Request.Headers["Range"].ToString();

    if (string.IsNullOrEmpty(rangeHeader))
        return PhysicalFile(filePath, "application/octet-stream", enableRangeProcessing: true);

    // Parse range
    var range = rangeHeader.Replace("bytes=", "").Split('-');
    var start = long.Parse(range[0]);
    var end = range.Length > 1 && !string.IsNullOrEmpty(range[1]) ? long.Parse(range[1]) : fileLength - 1;
    var contentLength = end - start + 1;

    Response.StatusCode = StatusCodes.Status206PartialContent;
    Response.Headers.Add("Accept-Ranges", "bytes");
    Response.Headers.Add("Content-Range", $"bytes {start}-{end}/{fileLength}");
    Response.Headers.Add("Content-Length", contentLength.ToString());

    using var fs = new FileStream(filePath, FileMode.Open, FileAccess.Read, FileShare.Read);
    fs.Seek(start, SeekOrigin.Begin);
    var buffer = new byte[64 * 1024]; // 64KB buffer

    long remaining = contentLength;
    while (remaining > 0)
    {
        var count = (int)Math.Min(buffer.Length, remaining);
        var read = await fs.ReadAsync(buffer, 0, count);
        if (read == 0) break;
        await Response.Body.WriteAsync(buffer.AsMemory(0, read));
        remaining -= read;
    }

    return new EmptyResult();
}

What Happens Here?
The API reads the Range header from the client request.

It calculates the byte segment to send.

The file is streamed incrementally, allowing pause/resume functionality.

3. Enabling Range Processing Automatically
ASP.NET Core provides built-in range processing for static or physical files:
app.UseStaticFiles(new StaticFileOptions
{
    ServeUnknownFileTypes = true,
    OnPrepareResponse = ctx =>
    {
        ctx.Context.Response.Headers.Append("Accept-Ranges", "bytes");
    }
});

Alternatively, you can use PhysicalFile() or VirtualFile() with:
return PhysicalFile(filePath, "application/pdf", enableRangeProcessing: true);

This is ideal when you want a simple and efficient approach without manually parsing headers.

4. Real-World Use Cases
Video Streaming Platforms – Serve MP4 files efficiently using range-based streaming.
Document Viewers (PDF, DOCX) – Load only required file sections for faster rendering.
AutoCAD or 3D File Renderers – Fetch model data progressively for WebGL visualization.
Download Managers – Enable users to pause/resume downloads seamlessly.

5. Performance Optimization Tips
Use asynchronous file I/O (await fs.ReadAsync) to avoid blocking threads.

• Keep buffer sizes between 32KB–128KB for optimal throughput.
• Serve large files from Azure Blob Storage, AWS S3, or CDN when possible.
• Cache metadata (file size, last modified) to reduce disk I/O.

Conclusion
Scalability, enhanced user experience, and effective resource use are guaranteed when file streaming and range requests are implemented in ASP.NET Core.
These methods let you manage contemporary client expectations, such resumable downloads and media streaming, without overtaxing your server memory, whether you're offering PDFs, movies, or big datasets.

You may create a versatile, high-performance file distribution system that satisfies user and company requirements by fusing custom streaming logic with ASP.NET Core's built-in range processing.