Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Basics
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
ASP.NET 2.0 Basics If you are new to ASP or ASP.NET programming with version 2.0, this is the forum to begin asking questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Basics section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old April 23rd, 2008, 05:13 AM
Friend of Wrox
 
Join Date: Mar 2007
Location: Hampshire, United Kingdom.
Posts: 432
Thanks: 0
Thanked 1 Time in 1 Post
Default ASP.NET Authorisation / Authentication

Hi Guys,

Well the time has finally arrived and I have begun working on my first ever ASP.NET project! :)

My first question is about authorisation and authentication...

My project is to migrate an ASP Classic system to .NET.

The current system contains a login form (suprise!) which submits the username/pass to a DB on our servers to see if the user and pass are correct. It then returns the users ID if found.

Pages are then rendered according to roles/permissions. Which are also stored on our database. If the logged in user has the permission to view a page, then it renders the page content, otherwise is presents an error and pings them back to the previous page.

So, the question(s) are:
  • What is considered "best practice" for authentication?
  • How might you suggest working with the roles/permissions?

I obviously want to make a good impression with it being my first web project and all, and I know I have a lot to learn, so I thought I had best get on here because I know a lot of you guys really kick ass! :)

I understand that these are quite "open" questions, I am not looking for code (unless maybe the odd snippet) but more suggestions/pointers on things I should research..

Thanks guys, I appreciate it.

Rob
http://robzyc.spaces.live.com
__________________
Rob
http://cantgrokwontgrok.blogspot.com
Reply With Quote
  #2 (permalink)  
Old April 23rd, 2008, 11:25 AM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

As always, the answer to both questions is: "it depends".

== User management ==
If you already have database architecture in place for user management then you need to use that. So in that case the "best practice" would be to "stick with what you already have". If you're building something new, then using the built in ASP.NET membership services is the logical choice as it's in place, tested and has controls that support it already. You can build custom providers that membership services can consume so you can use the controls and functionality built into ASP.NET but have it be based on a preexisting data infrastructure. Someone on my team has done that but I'm unfamiliar with it myself.

== Authentication ==
You'll need to choose the authentication methodology based on what the target audience is for this app you are working on. If it's internal and on a domain based server you could use windows authentication. If it's an internet facing app, then you are basically limited to forms auth (cookie based) with a login page.

-Peter
peterlanoie.blog
Reply With Quote
  #3 (permalink)  
Old April 24th, 2008, 02:13 AM
Friend of Wrox
 
Join Date: Mar 2007
Location: Hampshire, United Kingdom.
Posts: 432
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hey Peter,

Thanks for the reply. I have of course been doing more digging. I dont think using the ASP.NET membership services will be an option, since my manager is really not keen to drop anything we already have in place (I have no idea if thats a good or bad thing at this stage, since I am kinda feeling in the dark). My current plans are to use the existing Login controls to basically capture the Authenticate event, and then pass the info on to the Authentication BLL layer that I am currently working on (which simply queries the DB, and throws exception based on Login Failed, DBError, whatever).

One question though, whats the security like on this? Is the password sent as plain text when the "Log In" button is clicked? I am just keen to know what security considerations I should have when using these controls, or even just authentication in general?

Can you also offer any useful links on implementing user management? Obviously you have said the existing controls can be moulded to work with existing infrastructure (similar to Login) I am assuming the same is possible?

Again, many thanks for the help and support, it really is appreciated! In time I will not be such a n00b and can hopefully take some of the burden off of your guys shoulders!

Rob
http://robzyc.spaces.live.com
Reply With Quote
  #4 (permalink)  
Old April 24th, 2008, 08:53 AM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

One of my original points is that you can build an ASP.NET service provider that consumes your existing business logic. By creating providers you can use the existing ASP.NET controls (login, etc) but they are pointed at your custom provider instead of the default provider in order to use your business logic. You are simply building a bridge (really just replacing the bridge .NET provides natively) between your own code base and the provided .NET functionality. Convey to the boss that your reducing the work, because then you don't need to build the control set to work with you custom logic.

When you login on a form, the credentials are passed as plain text. If you are using SSL then everything's encrypted.

One bit of advice: use Exceptions for situations that are truly exceptions. Closely consider what the outcome will be for your method. In the case of a login, a failed login is an expectable outcome, definitely not an exception. Don't throw an exception for an expectable outcome.

There are a number of cases where I've needed to write a method that should return some data, but might also need to return some status type information regarding the request for the data. A login procedure is the perfect example of this. Instead of a return type of the expected data and throwing an exception when something's different, I create a return args class (similar to an event args class). This will have a property for the expected data as well as the status of the call. So a failed login due to incorrect credentials will be flagged as such and include no data. A successful login will flag as good and include data.

Another approach could be to make a method that takes some callback delegates. One for success and one for failure so there is very clear distinction between the result condition and subsequent action to take. This is a bit more elegant too in that the logic of "what to do when" is handled by the login method instead of by the consumer. The consumer provides the "what" to do and the login method provides the "when".

-Peter
peterlanoie.blog
Reply With Quote
  #5 (permalink)  
Old April 25th, 2008, 02:46 AM
Friend of Wrox
 
Join Date: Mar 2007
Location: Hampshire, United Kingdom.
Posts: 432
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hi Peter,

Thanks again for the reply. I will have to look into creating my own service provider, from the sounds of it, it will make the roll out a lot easier if it can tie in directly to the controls? I am currently working by consuming the events the controls raise and then working from there.

From the security POV, we really need to be working over SSL for the login process then yes? I am concerned about the login form submitting the password in plain text, is there no other way to secure this? I mean, if we hash it before sending using JScript and that is intercepted, is it possible for it to then be spoofed? (I am thinking maybe hash and salt with the users IP or something, if the requesting IP is not as expected, then login may have been compromised?).

As for the architecture of it all, you are right, I kinda threw the exceptions in as a hack and I try not to raise exceptions wherever possible. The ReturnArgs sounds nice, and of course leads room for extensibility. The callback delegates sound really nice! Especially coupled with something like SuccessArgs/FailedArgs, you could have plenty of room for movement, as well as a clean logical "if" in the code. Thanks! :)

I am finding this an interesting topic of discussion, thanks :)

Rob
http://robzyc.spaces.live.com
Reply With Quote
  #6 (permalink)  
Old April 25th, 2008, 09:05 AM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

The problem isn't so much spoofing a login, it's intercepting a login. Once I know a login, I should be able to connect with it and you'll never know that it isn't a legit login. The only way to test that is to lock down the application really tightly using some definable parameters such as user X should always be connecting from address Y. The important part is keeping the data you are passing from being picked up.

If you simply encrypt the password on the client end I could still spoof a login by intercepting the encoded value and passing that myself so it's basically pointless.

Using SSL is easy enough, and I've never used anything more than that to secure a login. If you use SSL then anything on top of that is not terribly necessary. SSL should give you ample security. If you need more security that can be provided by current technologies intended for HTTP then you probably shouldn't be doing a web app.

-Peter
peterlanoie.blog
Reply With Quote
  #7 (permalink)  
Old April 25th, 2008, 09:20 AM
Friend of Wrox
 
Join Date: Mar 2007
Location: Hampshire, United Kingdom.
Posts: 432
Thanks: 0
Thanked 1 Time in 1 Post
Default

Looks like I have got the authetication working how I want it, exceptions are now only thrown when something really bad happens that I am not expecting, and in any other case a code with a message is relayed back to the UI. I then found the FailureText property, which relays the message back to the control (and subsequently the UI). Awesome stuff :)

Will start looking into how to actually implement my own provider next week so I can get it all tied up, with User Roles as well, any good resources you have on this would be very much appreciated!

As for the security, I think we will be opting for SSL anyway (or TLS or whatever the bloody hell its called now! :)) I don't want to waste time when that can pretty much handle it all for me..

As always, thanks again, I do appreciate your time :)

Rob
http://robzyc.spaces.live.com
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Proxy Authentication Required in ASP.Net appln. rajbiswas76 General .NET 2 March 2nd, 2007 09:12 AM
How windows NET authentication done in ASP pages lakshmy_raj Classic ASP Basics 1 October 20th, 2004 02:28 AM
ASP.NET 1.0 Chapter 20 Custom Authentication and . rjwelte .NET Web Services 0 September 2nd, 2004 07:31 PM
Authentication in ASP .NET (VB) CFerthorney ASP.NET 1.0 and 1.1 Basics 1 September 25th, 2003 07:17 PM



All times are GMT -4. The time now is 01:02 AM.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.