About Best practices...

• Previous message: Ignacio Machin \( .NET/ C# MVP \): "Re: HEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEELP. I AM AT MY WITS END. IT JUST DON'T WORK."
• Next in thread: Mary Chipman: "Re: About Best practices..."
• Reply: Mary Chipman: "Re: About Best practices..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Sep 2004 08:03:05 -0700

Hi,

I'd like to have some advice to set our security procedure.
I've read several blogs and articles and now know several methods and
techniques.

What I need is some code details and best practices.
I have two scenarios. All this is in Web applications and XML Web Services
in C# and .Net.

My web site is outside the domain while the Web services are inside so, I
can't pass Username Token, right?

1. Users will log to my web site from any platform.
So, the only way I found to authenticate my users is to let them create an
account with login/password. This account is used only for a shopping basket
feature and to keep some preferences.
So, there is no need to use certificate or passport.
What I thought is, ask the password and store it encrypted inside the
database with no way to decrypt it.

        My questions are:
                - does this design seem ok?
                - To encrypt the password, I need a public key?
                        -- If yes, it must be created and saved somewhere? Where?
                        -- should it be saved with special encoding?

2. My web site consumes a web service (WS) that is developed inside the
house but on which I have no control. This WS requires a login, domain and
encrypted password to be passed. The way it is working is in 3-phases.

        a) Client ask for public key to server
        b) Client encrypt password using public key
        c) Client ask for session id (used in other WS) using encrypted password
        d) Server decrypts the password and test that those credentials are valid.
        e) Server delivers a SessionID
        f) Client uses this SessionID to ask methods from another WS.
        
        My questions are:
                - This design is not perfect but it's what exist for the moment.
The main reason was to map outside users to inside users and impersonate it,
what are the best practices for this?
                - The encrypt/decrypt processes must be done with public/private keys?
                        -- If yes, it must be created and saved somewhere? Where?
                        -- should it be saved with special encoding?

If you could give me some pointers on all this, thank you very much.
English is not my first language, so please excuse me for some mistakes...
Do not hesitate to correct me or ask for details.

Thanks a lot in advance, have a nice day.
Claude

• Previous message: Ignacio Machin \( .NET/ C# MVP \): "Re: HEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEELP. I AM AT MY WITS END. IT JUST DON'T WORK."
• Next in thread: Mary Chipman: "Re: About Best practices..."
• Reply: Mary Chipman: "Re: About Best practices..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]