Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Forms Authentication

I've been programming for a long time now, but I'm not the world's most experienced.Net developer. I recently picked up a project that is using Forms authentication for their website. I first looked at forms authentication in .Net 1.1 and at that time it had some limitations that made me decide not to use it as my primary form of authentication.

This project requires that users have roles (which I understand forms authentication supports) and group memberships. For example "User A" is an "Admin" for "Company A". Does forms authentication now support this sort of user structure?

I've also read that forms authentication sends passwords back as plain text. This client does not use SSL. Is this true?

The current code base uses forms authentication, but does not support groups (it does support roles). So, I need to either modify the forms authentication to support the required groups or rip out the forms authentication and use the Authentication framework I normally use. If forms authentication does support groups and is secure enough, then I should stick with that. If forms authentication has security issues or does not support groups then I need to remove that form of authentication.

I've searched the internet for a pros-and-cons sort of article, but no luck. What do you guys think?

like image 412
mlindegarde Avatar asked Mar 13 '09 13:03

mlindegarde


1 Answers

To satisfy you requirements you will use Forms Authentication with Membership. If your application is using SQL Server database you can use SQLMembershipProvider as the membership provider to achieve this.

Examining ASP.NET 2.0's Membership, Roles, and Profile can be a good start reference.

About your concern about sending passwords as a plain text when the connection is not secured.

Actually the passwords that are sent are usually hashed (algorithm will depend on the Membership Provider chosen) and that is as there are eventually stored. Of course if the connection is not secured that hashed password can be retrieved and used to hack the application but at least you eliminate the possibility that the plain user password is stolen and used e.g. to access another service (as you know many people use the same password across multiple services). So to be secure you really need to use https here.

As a note of warning, I am far from being an expert in that field, but quite recently I was faced with a similar problem that you are describing so I though that you may find some of this useful.

like image 59
kristof Avatar answered Oct 12 '22 09:10

kristof