Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Storing Username/Password During Processing

Tags:

security

asp.net

application-security

Working inside the context of an ASP.NET application I am creating a page that will be able to execute database scripts against one of many databases in our environment. To do this we need to prompt the user for a username/password combination, this value can be used for all servers without issue.

The question is where is the most secure location to store this information? We need to store it temporarily as when they are on this specific page they could be executing hundreds of scripts, over multiple postbacks. From what I can tell I have 3 options and I'm not sure what is the best. Below is my take on the options, what is the recommendation of everyone here? What is the most secure, while still being friendly for the user?

Store Information In Viewstate

One of the first ideas we discussed was storing the information after being supplied by the user in the ViewState for the page. This is helpful as the information will only exist for the lifetime of the page, however, we are unsure of the security implications.

Store information in Session

The next idea we had was to store it in session, however, the downside to this is that the information can be made available to other pages inside the application, and the information always lingers in memory on the server.

Store Information in Application

The last idea that we had was to store it in the Application cache, with a user specific key and a sliding 5 minute expiration. This would still be available to other pages, however, it would ensure that the information is cached for a shorter period.

Why?

The final question that is important is "Why are you doing this?". Why don't we just use their Lan id's? Well we cannot use lan id's due to the lack of network support for delegation.

S0 what is the recommended solution? Why? How secure is it, and can we be?

Update

Great information has been discussed. TO clarify, we are running in an intranet environment, we CANNOT use Impersonation or Delegation due to limitations in the network.

like image 457
Mitchel Sellers Avatar asked Mar 02 '23 02:03

Mitchel Sellers

1 Answers

In my opinion the natural place for this is the Session.

I'm not sure why you seem to be fearing "other pages inside the application" (you control the appliciation, don't you?), but if you really are, you could use some sort of encryption before you store it.

But if you are going to do that, the data could live in the ViewState as well.

like image 84
Tomalak Avatar answered Mar 05 '23 17:03

Tomalak
Sign in to Comment

Related questions

SignInManager.IsSignedIn(User) returns false
Enable ASP.Net Core Session Locking?
Swagger is not Working Asp.net Core how to open swagger ui
HTML to PDF using ironPDF getting error "access to the path 'IronPdf.ChromeRenderingEngine.dll' is denied." in C#
C# asp.net passing an object with a long property to front end changes it's value [duplicate]
Web App - Dashboard Type GUI - Interface [closed]
Getting the Remote Name Address (not IP)
Programmatically accessing Data in an ASP.NET 2.0 Repeater
How do I TDD a custom membership provider and custom membership user?
What are you using for Distributed Caching in web farms running ASP.NET?
Maximum # of Results in a Sitecore Droplink field?
ASP.NET 2.0 Asynchronous User Control Not Working
Upgrading ASP.NET from version 1.1 to 2.0 - Any Gotchas?
Forms Authentication timing out when it shouldn't?
What other frameworks should ASP.Net programmers consult for code inspiration?
Returning an XElement from a web service
ASP.NET - Negative numbers in Parenthesis

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!