Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Forms Authentication

Tags:

c#

.net

authentication

asp.net

I've been programming for a long time now, but I'm not the world's most experienced.Net developer. I recently picked up a project that is using Forms authentication for their website. I first looked at forms authentication in .Net 1.1 and at that time it had some limitations that made me decide not to use it as my primary form of authentication.

This project requires that users have roles (which I understand forms authentication supports) and group memberships. For example "User A" is an "Admin" for "Company A". Does forms authentication now support this sort of user structure?

I've also read that forms authentication sends passwords back as plain text. This client does not use SSL. Is this true?

The current code base uses forms authentication, but does not support groups (it does support roles). So, I need to either modify the forms authentication to support the required groups or rip out the forms authentication and use the Authentication framework I normally use. If forms authentication does support groups and is secure enough, then I should stick with that. If forms authentication has security issues or does not support groups then I need to remove that form of authentication.

I've searched the internet for a pros-and-cons sort of article, but no luck. What do you guys think?

like image 412
mlindegarde Avatar asked Mar 13 '09 13:03

mlindegarde

1 Answers

To satisfy you requirements you will use Forms Authentication with Membership. If your application is using SQL Server database you can use SQLMembershipProvider as the membership provider to achieve this.

Examining ASP.NET 2.0's Membership, Roles, and Profile can be a good start reference.

About your concern about sending passwords as a plain text when the connection is not secured.

Actually the passwords that are sent are usually hashed (algorithm will depend on the Membership Provider chosen) and that is as there are eventually stored. Of course if the connection is not secured that hashed password can be retrieved and used to hack the application but at least you eliminate the possibility that the plain user password is stolen and used e.g. to access another service (as you know many people use the same password across multiple services). So to be secure you really need to use https here.

As a note of warning, I am far from being an expert in that field, but quite recently I was faced with a similar problem that you are describing so I though that you may find some of this useful.

like image 59
kristof Avatar answered Oct 12 '22 09:10

kristof
Sign in to Comment

Related questions

Selecting author name field from Atom feed using LINQ (C#)
How do I serialize an anonymous object for sending over a SOAP web service?
I require a MSI Custom action that copies a file from the MSI source directory
Best way to call an instance method in Expression Trees?
MouseMove event too slow for painting
C# SocketException with Multicast on XP
How do you insert a file (PDF) into a varbinary SQL Server column and later retrieve it?
Any BDD success stories out there?
I need to change the style and control use of the asp:Login control button
deserializing a generic list returns null
C# Application can't read/write to files created by administrator when run in limited user account XP
How do I unit test a method containing an asynchronous call?
Import python functions into a .NET language?
C# begin*() method vs threadpool for a server
Documentation on compression / decompression techniques
How to sort NameValueCollection using a key in C#?
How can I uniquely identify a USB key from C#?
TFS Client API - Query to get work items linked to a specific file?
NHibernate Projections and "Having" clause
How do I determine if an "IIsWebDirectory" or "IIsWebVirtualDir" is an ASP.NET Application?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!