ASP.NET Authentication and Windows Authentication

Discussion in 'ASP .Net Security' started by Fabio Gouw, Nov 15, 2004.

  1. Fabio Gouw

    Fabio Gouw Guest

    Hello,

    I'm developing a web application that will run on an Intranet. I'll use
    Windows Authentication, so users can access the application without the need
    of filling out a login page.

    According which user is using the web app, he/she'll have a dinamic menu,
    built with the pages he/she can access. This information is stored in a SQL
    Server DB, where each user has his/her permissions.

    My question is how can I bind the information on Users table with the user
    who is accessing the web app, and how to make it secure.

    First I thought to use User.Identity.Name property, so I can put an
    "domain\login" column on Users table, but it doesn't sound secure... (Am I
    right?)

    Does anyone have a suggestion?

    Thanks
     
    Fabio Gouw, Nov 15, 2004
    #1
    1. Advertising

  2. Fabio Gouw

    Ken Schaefer Guest

    What do you mean by "isn't secure"? Secure against what?

    Sounds like a decent idea to me. Whilst hiding usernames is probably a good
    idea, authentication relies on "something I know" (password) or "something I
    have" (smart card) (or combinations - multifactor authentication). So, the
    trick is keeping the password secure - because that's the "secret" rather
    than the username.

    Cheers
    Ken

    "Fabio Gouw" <> wrote in message
    news:...
    > Hello,
    >
    > I'm developing a web application that will run on an Intranet. I'll use
    > Windows Authentication, so users can access the application without the
    > need
    > of filling out a login page.
    >
    > According which user is using the web app, he/she'll have a dinamic menu,
    > built with the pages he/she can access. This information is stored in a
    > SQL
    > Server DB, where each user has his/her permissions.
    >
    > My question is how can I bind the information on Users table with the user
    > who is accessing the web app, and how to make it secure.
    >
    > First I thought to use User.Identity.Name property, so I can put an
    > "domain\login" column on Users table, but it doesn't sound secure... (Am I
    > right?)
     
    Ken Schaefer, Nov 16, 2004
    #2
    1. Advertising

  3. Fabio Gouw

    Ken Schaefer Guest

    As an addendum, if you don't want to store the usernames in cleartext in the
    database, you could use a one-way hashing function (MD5?) to generate a hash
    of the username. Do the same in your code to the username presented by the
    client, and compare that with what's in the database. That way, anyone who
    does get access to the database can not determine which username is which
    (except perhaps through deduction by looking at which users have which
    permissions)

    Cheers
    Ken

    "Ken Schaefer" <> wrote in message
    news:...
    > What do you mean by "isn't secure"? Secure against what?
    >
    > Sounds like a decent idea to me. Whilst hiding usernames is probably a
    > good idea, authentication relies on "something I know" (password) or
    > "something I have" (smart card) (or combinations - multifactor
    > authentication). So, the trick is keeping the password secure - because
    > that's the "secret" rather than the username.
    >
    > Cheers
    > Ken
    >
    > "Fabio Gouw" <> wrote in message
    > news:...
    >> Hello,
    >>
    >> I'm developing a web application that will run on an Intranet. I'll use
    >> Windows Authentication, so users can access the application without the
    >> need
    >> of filling out a login page.
    >>
    >> According which user is using the web app, he/she'll have a dinamic menu,
    >> built with the pages he/she can access. This information is stored in a
    >> SQL
    >> Server DB, where each user has his/her permissions.
    >>
    >> My question is how can I bind the information on Users table with the
    >> user
    >> who is accessing the web app, and how to make it secure.
    >>
    >> First I thought to use User.Identity.Name property, so I can put an
    >> "domain\login" column on Users table, but it doesn't sound secure... (Am
    >> I
    >> right?)

    >
    >
     
    Ken Schaefer, Nov 16, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Amedee Van Gasse
    Replies:
    2
    Views:
    2,864
    Buddy Ackerman
    Jun 16, 2005
  2. Doug
    Replies:
    9
    Views:
    6,905
    Terence Tirella
    Apr 7, 2006
  3. nenzax
    Replies:
    1
    Views:
    248
    Dominick Baier [DevelopMentor]
    Dec 18, 2005
  4. Michael D. Ober
    Replies:
    6
    Views:
    315
    Michael D. Ober
    Oct 30, 2006
  5. Michael D. Ober
    Replies:
    6
    Views:
    409
    Michael D. Ober
    Oct 30, 2006
Loading...

Share This Page