Re: About Best practices...
From: Mary Chipman (mchip_at_online.microsoft.com)
Date: 09/23/04
- Next message: Rob Teixeira [MVP]: "Re: Authentication for remote Processes and Services"
- Previous message: Mark K: "Re: Specified method is not supported. - update"
- In reply to: Claude Vernier: "About Best practices..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Sep 2004 16:04:39 -0400
You can find the answers in the ASP.NET security best practices
whitepaper, downloadable from
http://www.microsoft.com/downloads/release.asp?ReleaseID=44047
--Mary
On Thu, 23 Sep 2004 08:03:05 -0700, "Claude Vernier"
<ClaudeVernier@discussions.microsoft.com> wrote:
>Hi,
>
>I'd like to have some advice to set our security procedure.
>I've read several blogs and articles and now know several methods and
>techniques.
>
>What I need is some code details and best practices.
>I have two scenarios. All this is in Web applications and XML Web Services
>in C# and .Net.
>
>My web site is outside the domain while the Web services are inside so, I
>can't pass Username Token, right?
>
>1. Users will log to my web site from any platform.
>So, the only way I found to authenticate my users is to let them create an
>account with login/password. This account is used only for a shopping basket
>feature and to keep some preferences.
>So, there is no need to use certificate or passport.
>What I thought is, ask the password and store it encrypted inside the
>database with no way to decrypt it.
>
> My questions are:
> - does this design seem ok?
> - To encrypt the password, I need a public key?
> -- If yes, it must be created and saved somewhere? Where?
> -- should it be saved with special encoding?
>
>
>
>
>2. My web site consumes a web service (WS) that is developed inside the
>house but on which I have no control. This WS requires a login, domain and
>encrypted password to be passed. The way it is working is in 3-phases.
>
> a) Client ask for public key to server
> b) Client encrypt password using public key
> c) Client ask for session id (used in other WS) using encrypted password
> d) Server decrypts the password and test that those credentials are valid.
> e) Server delivers a SessionID
> f) Client uses this SessionID to ask methods from another WS.
>
> My questions are:
> - This design is not perfect but it's what exist for the moment.
>The main reason was to map outside users to inside users and impersonate it,
>what are the best practices for this?
> - The encrypt/decrypt processes must be done with public/private keys?
> -- If yes, it must be created and saved somewhere? Where?
> -- should it be saved with special encoding?
>
>If you could give me some pointers on all this, thank you very much.
>English is not my first language, so please excuse me for some mistakes...
>Do not hesitate to correct me or ask for details.
>
>Thanks a lot in advance, have a nice day.
>Claude
- Next message: Rob Teixeira [MVP]: "Re: Authentication for remote Processes and Services"
- Previous message: Mark K: "Re: Specified method is not supported. - update"
- In reply to: Claude Vernier: "About Best practices..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
