G
Guest
Hi There,
Hopefully this isn't too difficult a question to express here. I have a 3
tier application.
1. Presentation Tier: ASP.NET web application. 2. Middle Tier: ASP.NET Web
Services that invoke COM based API for a third party product. 3. Data Tier: A
SQL Server database that I can only access via the API.
The user authentication for the web application is actually done via a call
to the COM API. After successfully authenticating a user, where user details
have been collected via Forms Authentication, I propose to persist in
encrypted form within the Forms Authentication ticket the User Id and
Password originally provided by the end user to use on subsequent API calls
by that session.
I guess this means that a) The Presentation Tier does require session state
to be maintained. b) The middle tier web services are totally stateless. c)
The encrypted User ID and Password are stored within the cookies collection.
Any comments on this approach? Obviously we will be using HTTPS so at no
time do the credentials pass in clear text, but I'm still not that happy
about this encrypted User ID and Password being held in the browser's cookie
collection.
Another alternative I've thought through is only temporarly storing the User
ID and Password in the Authentication ticket. I would then, in the
Application_Authenticate method in Global.asax, create an object that
inherits from the GenericIdentity object, and provide extra properties to
contain the Application User ID and Password, and use this object as the
Identity under which the application is running. In this way, I could remove
the User ID and Password (encrypted though they are) from the cookies
collection, and maintain them within the HTTPApplication context.
Any advice on either of these approachs would be most appreciated.
Regards,
Trevor Andrew
Hopefully this isn't too difficult a question to express here. I have a 3
tier application.
1. Presentation Tier: ASP.NET web application. 2. Middle Tier: ASP.NET Web
Services that invoke COM based API for a third party product. 3. Data Tier: A
SQL Server database that I can only access via the API.
The user authentication for the web application is actually done via a call
to the COM API. After successfully authenticating a user, where user details
have been collected via Forms Authentication, I propose to persist in
encrypted form within the Forms Authentication ticket the User Id and
Password originally provided by the end user to use on subsequent API calls
by that session.
I guess this means that a) The Presentation Tier does require session state
to be maintained. b) The middle tier web services are totally stateless. c)
The encrypted User ID and Password are stored within the cookies collection.
Any comments on this approach? Obviously we will be using HTTPS so at no
time do the credentials pass in clear text, but I'm still not that happy
about this encrypted User ID and Password being held in the browser's cookie
collection.
Another alternative I've thought through is only temporarly storing the User
ID and Password in the Authentication ticket. I would then, in the
Application_Authenticate method in Global.asax, create an object that
inherits from the GenericIdentity object, and provide extra properties to
contain the Application User ID and Password, and use this object as the
Identity under which the application is running. In this way, I could remove
the User ID and Password (encrypted though they are) from the cookies
collection, and maintain them within the HTTPApplication context.
Any advice on either of these approachs would be most appreciated.
Regards,
Trevor Andrew