Re: Windows Authentication (asp.net 1.1 C#)
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 20 Jan 2006 21:55:28 +0000 (UTC)
Hi,
it is up to you how you store your passwords - FormsAuth is just a mechanism to "remember" authenticated users (and reject anonymous).
Usually you store the passwords in a database using salted hashes - have a look at PasswordDeriveBytes class (or Rfc2898DeriveBytes on 2.0)
In ASP.NET 2.0 you may want to have a look at the membership provider.
Also this could be a good start: http://samples.gotdotnet.com/quickstart/aspplus/doc/formsauth.aspx
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
can you point me to FormAuthentication with encrypted passwords Thanks
"Dominick Baier [DevelopMentor]" wrote:
Hi,
i wouldn't recommend using your internal AD for customer accounts. FormsAuthentication is as secure as IIS integrated auth - and you need SSL for both anyway.
There is no easy way to get a forms based login for IIS integrated auth - this would require to craft the authentication headers on the client - maybe be easy for basic auth - but beyond.
I would go for FormsAuth + SSL
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comI'm creating a site which will allow our clients to place orders. Because of different price list and sensitive merchandise we sell (Medical Supplies.) I'm concerned about security. I though that either I have to do a Windows Authentication or Form Authentication. If I use windows authentication, I can validate with my domain and I wouldn't have a problem with that, unless that would cause a problem with my internal security. The Second option is Form Authenticated. My Question is 1) If I use Windows Authentication can I bypass the browser dialog box and use a form with textboxes to do the sign in. I seen that Microsoft Exchange Web Outlook 2003 can do this. Is this possible? Someone told me at the asp group that it was not, but since it was asp and not asp.net, I want it to ask. 2) Can I run into internal security problems if I give them a restricted windows account? I guess the answer is yes... (Did I just answer my self?) 3) Can you point me at another method of secure login, like forms but with encryptation, that can allow me to not have to validate with my domain. Thank you Francisco O. IBLUES
.
- Prev by Date: Re: DirectoryEntry.NativeObject slow with ASP.Net, but fast in exe
- Next by Date: Re: DirectoryEntry.NativeObject slow with ASP.Net, but fast in exe
- Previous by thread: Re: Windows Authentication (asp.net 1.1 C#)
- Next by thread: Re: DirectoryEntry.NativeObject slow with ASP.Net, but fast in exe
- Index(es):
Relevant Pages
|
