RE: Authenticating againts localhost (and another question)

• Previous message: Aaron Margosis [MS]: "Re: asp.net webservice & ssl"
• In reply to: Michal Januszczyk: "Authenticating againts localhost (and another question)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Feb 2004 01:41:07 -0800

Q1...
Probably the best approach with forms auth is to put your login.aspx page in a SSL protected folder, and leave the rest of your app outside of SSL. This way your credentials will be protected.

Your web.config might include something like this:
<authentication mode="Forms"><forms loginUrl="Restricted\login.aspx" Login page in an SSL protected folder
         protection="All" Privacy and integrity
         requireSSL="true" Prevents cookie being sent over http
         timeout="10" Limited session lifetime
         name="AppNameCookie" Unique per-application name
         path="/FormsAuth" and path
         slidingExpiration="true" > Sliding session lifetime
  </forms></authentication>

I guess you could implement the code to encrypt just the password, but for it to be secure you would have to do pretty much the same as SSL with key exchange and all that - above approach is a much simpler solution.

Here's a link to a KB article that describes it in more detail:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;813829

Q2...
You should be able to do this by calling the (unmanaged) Win32 API function LogonUser() - passing "." for the domainname parameter. This has some serious security consequences though - there may be a better approach for local accounts.

• Previous message: Aaron Margosis [MS]: "Re: asp.net webservice & ssl"
• In reply to: Michal Januszczyk: "Authenticating againts localhost (and another question)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]