Best Authentication Provider

Discussion in 'ASP .Net Security' started by David Lozzi, Jul 20, 2005.

  1. David Lozzi

    David Lozzi Guest

    Howdy,

    I've written a few apps already and I have done custom authentication like
    so: prompt for user name and password, verify information against SQL table,
    then load returned username, ID, security, etc. into session state. This
    works and frankly I'm not sure why i'm posting this except for that I want
    to be 'correct' in my apps.

    I notice .Net supports Authentication Modes. Which is the better one to use?
    I have a basic understanding of each provider and it appears that the Forms
    Authentication Provider is the preferred method? Using Forms, how do I
    specify the database table in SQL to use? Also, once validated, it loads the
    user information into a cookie for later retrieval. Can I load more
    information into this cookie, like custom security levels, etc. Currently, I
    basically have a range from 1 through 10 specifying security levels, will
    this still work or does Forms process security itself?

    Same questions with Windows Auth. I've used Windows Auth in some legacy ASP
    apps and was able to determin security levels by a users membership to
    domain groups. Does this provider work the same? How do I read the security
    information?

    Eh, PassPort is cool but I not necessary for me so I don't care enough to
    ask.

    I've been reading through MSDN articles pertaining to these but my questions
    can't seem to get answered with MS Docs. Any help and clarity is greatly
    appreciated!

    Thanks!

    David Lozzi
     
    David Lozzi, Jul 20, 2005
    #1
    1. Advertising

  2. Hello David,

    inline

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Howdy,
    >
    > I've written a few apps already and I have done custom authentication
    > like so: prompt for user name and password, verify information against
    > SQL table, then load returned username, ID, security, etc. into
    > session state. This works and frankly I'm not sure why i'm posting
    > this except for that I want to be 'correct' in my apps.
    >
    > I notice .Net supports Authentication Modes. Which is the better one
    > to use? I have a basic understanding of each provider and it appears
    > that the Forms Authentication Provider is the preferred method? Using
    > Forms, how do I specify the database table in SQL to use? Also, once
    > validated, it loads the user information into a cookie for later
    > retrieval. Can I load more information into this cookie, like custom
    > security levels, etc. Currently, I basically have a range from 1
    > through 10 specifying security levels, will this still work or does
    > Forms process security itself?


    You do that manually - you have to provide a login page - and handle the
    login button click event - then you go to a datastore and validate credentials.
    The authentication cookie contains a 'UserData' field where you can store
    arbitrary additional information, e.g. Roles or what you call Security Levels.
    Upon each request then you create a IPrincipial implementation and attach
    it to the current thread.

    >
    > Same questions with Windows Auth. I've used Windows Auth in some
    > legacy ASP apps and was able to determin security levels by a users
    > membership to domain groups. Does this provider work the same? How do
    > I read the security information?


    Regardless of what AuthType you use - the IPrincipal which is accessible
    through Page.User or Context.User contains a IsInRole("") method to query
    role membership

    i have a full working example of FormsAuth on my blog - this should get you
    started..feel free to ask more questions after you looked at the code.
    http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a

    >
    > Eh, PassPort is cool but I not necessary for me so I don't care enough
    > to ask.
    >
    > I've been reading through MSDN articles pertaining to these but my
    > questions can't seem to get answered with MS Docs. Any help and
    > clarity is greatly appreciated!
    >
    > Thanks!
    >
    > David Lozzi
    >
     
    Dominick Baier [DevelopMentor], Jul 20, 2005
    #2
    1. Advertising

  3. David Lozzi

    David Lozzi Guest

    Thank you for your help! It helped a lot. I got my sample app here:

    users are redirected to login.aspx. After entering username and password,
    formsauthentication is taken care of and cookies and all that stuff. After
    this is happy, it then redirects the user to default.aspx, at which point I
    can pull the user's username (context.user.identity.name).

    I can't seem to figure out how to pull the remaining information about the
    user, security level, full name, email addy, etc. This is usually stored in
    a session state but I see no session info in this. I can think of one
    possible solution, and that would be to query the database everytime I
    needed this information. Is this a good idea? Is this better than a session
    state?

    Thanks!

    David Lozzi

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello David,
    >
    > inline
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Howdy,
    >>
    >> I've written a few apps already and I have done custom authentication
    >> like so: prompt for user name and password, verify information against
    >> SQL table, then load returned username, ID, security, etc. into
    >> session state. This works and frankly I'm not sure why i'm posting
    >> this except for that I want to be 'correct' in my apps.
    >>
    >> I notice .Net supports Authentication Modes. Which is the better one
    >> to use? I have a basic understanding of each provider and it appears
    >> that the Forms Authentication Provider is the preferred method? Using
    >> Forms, how do I specify the database table in SQL to use? Also, once
    >> validated, it loads the user information into a cookie for later
    >> retrieval. Can I load more information into this cookie, like custom
    >> security levels, etc. Currently, I basically have a range from 1
    >> through 10 specifying security levels, will this still work or does
    >> Forms process security itself?

    >
    > You do that manually - you have to provide a login page - and handle the
    > login button click event - then you go to a datastore and validate
    > credentials. The authentication cookie contains a 'UserData' field where
    > you can store arbitrary additional information, e.g. Roles or what you
    > call Security Levels. Upon each request then you create a IPrincipial
    > implementation and attach it to the current thread.
    >>
    >> Same questions with Windows Auth. I've used Windows Auth in some
    >> legacy ASP apps and was able to determin security levels by a users
    >> membership to domain groups. Does this provider work the same? How do
    >> I read the security information?

    >
    > Regardless of what AuthType you use - the IPrincipal which is accessible
    > through Page.User or Context.User contains a IsInRole("") method to query
    > role membership
    >
    > i have a full working example of FormsAuth on my blog - this should get
    > you started..feel free to ask more questions after you looked at the code.
    > http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a
    >
    >>
    >> Eh, PassPort is cool but I not necessary for me so I don't care enough
    >> to ask.
    >>
    >> I've been reading through MSDN articles pertaining to these but my
    >> questions can't seem to get answered with MS Docs. Any help and
    >> clarity is greatly appreciated!
    >>
    >> Thanks!
    >>
    >> David Lozzi
    >>

    >
    >
    >
     
    David Lozzi, Jul 20, 2005
    #3
  4. David Lozzi

    David Lozzi Guest

    I said I can't seem to pull the other data, that is because I can't seem to
    add it.

    "David Lozzi" <dlozzi@(removethis)delphi-ts.com> wrote in message
    news:%...
    > Thank you for your help! It helped a lot. I got my sample app here:
    >
    > users are redirected to login.aspx. After entering username and password,
    > formsauthentication is taken care of and cookies and all that stuff. After
    > this is happy, it then redirects the user to default.aspx, at which point
    > I can pull the user's username (context.user.identity.name).
    >
    > I can't seem to figure out how to pull the remaining information about the
    > user, security level, full name, email addy, etc. This is usually stored
    > in a session state but I see no session info in this. I can think of one
    > possible solution, and that would be to query the database everytime I
    > needed this information. Is this a good idea? Is this better than a
    > session state?
    >
    > Thanks!
    >
    > David Lozzi
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    >> Hello David,
    >>
    >> inline
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >>> Howdy,
    >>>
    >>> I've written a few apps already and I have done custom authentication
    >>> like so: prompt for user name and password, verify information against
    >>> SQL table, then load returned username, ID, security, etc. into
    >>> session state. This works and frankly I'm not sure why i'm posting
    >>> this except for that I want to be 'correct' in my apps.
    >>>
    >>> I notice .Net supports Authentication Modes. Which is the better one
    >>> to use? I have a basic understanding of each provider and it appears
    >>> that the Forms Authentication Provider is the preferred method? Using
    >>> Forms, how do I specify the database table in SQL to use? Also, once
    >>> validated, it loads the user information into a cookie for later
    >>> retrieval. Can I load more information into this cookie, like custom
    >>> security levels, etc. Currently, I basically have a range from 1
    >>> through 10 specifying security levels, will this still work or does
    >>> Forms process security itself?

    >>
    >> You do that manually - you have to provide a login page - and handle the
    >> login button click event - then you go to a datastore and validate
    >> credentials. The authentication cookie contains a 'UserData' field where
    >> you can store arbitrary additional information, e.g. Roles or what you
    >> call Security Levels. Upon each request then you create a IPrincipial
    >> implementation and attach it to the current thread.
    >>>
    >>> Same questions with Windows Auth. I've used Windows Auth in some
    >>> legacy ASP apps and was able to determin security levels by a users
    >>> membership to domain groups. Does this provider work the same? How do
    >>> I read the security information?

    >>
    >> Regardless of what AuthType you use - the IPrincipal which is accessible
    >> through Page.User or Context.User contains a IsInRole("") method to query
    >> role membership
    >>
    >> i have a full working example of FormsAuth on my blog - this should get
    >> you started..feel free to ask more questions after you looked at the
    >> code.
    >> http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a
    >>
    >>>
    >>> Eh, PassPort is cool but I not necessary for me so I don't care enough
    >>> to ask.
    >>>
    >>> I've been reading through MSDN articles pertaining to these but my
    >>> questions can't seem to get answered with MS Docs. Any help and
    >>> clarity is greatly appreciated!
    >>>
    >>> Thanks!
    >>>
    >>> David Lozzi
    >>>

    >>
    >>
    >>

    >
    >
     
    David Lozzi, Jul 20, 2005
    #4
  5. Hello David,

    you could stuff them in the cookie (see my SetAuthCookie method) - but keep
    in mind that a cookie is limited to 4KB)

    System.Web.Cache would be another option...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I said I can't seem to pull the other data, that is because I can't
    > seem to add it.
    >
    > "David Lozzi" <dlozzi@(removethis)delphi-ts.com> wrote in message
    > news:%...
    >
    >> Thank you for your help! It helped a lot. I got my sample app here:
    >>
    >> users are redirected to login.aspx. After entering username and
    >> password, formsauthentication is taken care of and cookies and all
    >> that stuff. After this is happy, it then redirects the user to
    >> default.aspx, at which point I can pull the user's username
    >> (context.user.identity.name).
    >>
    >> I can't seem to figure out how to pull the remaining information
    >> about the user, security level, full name, email addy, etc. This is
    >> usually stored in a session state but I see no session info in this.
    >> I can think of one possible solution, and that would be to query the
    >> database everytime I needed this information. Is this a good idea? Is
    >> this better than a session state?
    >>
    >> Thanks!
    >>
    >> David Lozzi
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello David,
    >>>
    >>> inline
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Howdy,
    >>>>
    >>>> I've written a few apps already and I have done custom
    >>>> authentication like so: prompt for user name and password, verify
    >>>> information against SQL table, then load returned username, ID,
    >>>> security, etc. into session state. This works and frankly I'm not
    >>>> sure why i'm posting this except for that I want to be 'correct' in
    >>>> my apps.
    >>>>
    >>>> I notice .Net supports Authentication Modes. Which is the better
    >>>> one to use? I have a basic understanding of each provider and it
    >>>> appears that the Forms Authentication Provider is the preferred
    >>>> method? Using Forms, how do I specify the database table in SQL to
    >>>> use? Also, once validated, it loads the user information into a
    >>>> cookie for later retrieval. Can I load more information into this
    >>>> cookie, like custom security levels, etc. Currently, I basically
    >>>> have a range from 1 through 10 specifying security levels, will
    >>>> this still work or does Forms process security itself?
    >>>>
    >>> You do that manually - you have to provide a login page - and handle
    >>> the login button click event - then you go to a datastore and
    >>> validate credentials. The authentication cookie contains a
    >>> 'UserData' field where you can store arbitrary additional
    >>> information, e.g. Roles or what you call Security Levels. Upon each
    >>> request then you create a IPrincipial implementation and attach it
    >>> to the current thread.
    >>>
    >>>> Same questions with Windows Auth. I've used Windows Auth in some
    >>>> legacy ASP apps and was able to determin security levels by a users
    >>>> membership to domain groups. Does this provider work the same? How
    >>>> do I read the security information?
    >>>>
    >>> Regardless of what AuthType you use - the IPrincipal which is
    >>> accessible through Page.User or Context.User contains a IsInRole("")
    >>> method to query role membership
    >>>
    >>> i have a full working example of FormsAuth on my blog - this should
    >>> get you started..feel free to ask more questions after you looked at
    >>> the code.
    >>> http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f
    >>> -98d0-bc8cfbec4c3a
    >>>
    >>>> Eh, PassPort is cool but I not necessary for me so I don't care
    >>>> enough to ask.
    >>>>
    >>>> I've been reading through MSDN articles pertaining to these but my
    >>>> questions can't seem to get answered with MS Docs. Any help and
    >>>> clarity is greatly appreciated!
    >>>>
    >>>> Thanks!
    >>>>
    >>>> David Lozzi
    >>>>
     
    Dominick Baier [DevelopMentor], Jul 20, 2005
    #5
  6. David Lozzi

    David Lozzi Guest

    So is using the session state not a good idea any more? I am so use to using
    it as I have been for the past 5 years in all of my ASP/.Net apps. What are
    the down sides to using session state? I am going to repost this quesiton
    for a broader discussion. Thanks for your help!

    David Lozzi


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello David,
    >
    > you could stuff them in the cookie (see my SetAuthCookie method) - but
    > keep in mind that a cookie is limited to 4KB)
    >
    > System.Web.Cache would be another option...
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I said I can't seem to pull the other data, that is because I can't
    >> seem to add it.
    >>
    >> "David Lozzi" <dlozzi@(removethis)delphi-ts.com> wrote in message
    >> news:%...
    >>
    >>> Thank you for your help! It helped a lot. I got my sample app here:
    >>>
    >>> users are redirected to login.aspx. After entering username and
    >>> password, formsauthentication is taken care of and cookies and all
    >>> that stuff. After this is happy, it then redirects the user to
    >>> default.aspx, at which point I can pull the user's username
    >>> (context.user.identity.name).
    >>>
    >>> I can't seem to figure out how to pull the remaining information
    >>> about the user, security level, full name, email addy, etc. This is
    >>> usually stored in a session state but I see no session info in this.
    >>> I can think of one possible solution, and that would be to query the
    >>> database everytime I needed this information. Is this a good idea? Is
    >>> this better than a session state?
    >>>
    >>> Thanks!
    >>>
    >>> David Lozzi
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> Hello David,
    >>>>
    >>>> inline
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Howdy,
    >>>>>
    >>>>> I've written a few apps already and I have done custom
    >>>>> authentication like so: prompt for user name and password, verify
    >>>>> information against SQL table, then load returned username, ID,
    >>>>> security, etc. into session state. This works and frankly I'm not
    >>>>> sure why i'm posting this except for that I want to be 'correct' in
    >>>>> my apps.
    >>>>>
    >>>>> I notice .Net supports Authentication Modes. Which is the better
    >>>>> one to use? I have a basic understanding of each provider and it
    >>>>> appears that the Forms Authentication Provider is the preferred
    >>>>> method? Using Forms, how do I specify the database table in SQL to
    >>>>> use? Also, once validated, it loads the user information into a
    >>>>> cookie for later retrieval. Can I load more information into this
    >>>>> cookie, like custom security levels, etc. Currently, I basically
    >>>>> have a range from 1 through 10 specifying security levels, will
    >>>>> this still work or does Forms process security itself?
    >>>>>
    >>>> You do that manually - you have to provide a login page - and handle
    >>>> the login button click event - then you go to a datastore and
    >>>> validate credentials. The authentication cookie contains a
    >>>> 'UserData' field where you can store arbitrary additional
    >>>> information, e.g. Roles or what you call Security Levels. Upon each
    >>>> request then you create a IPrincipial implementation and attach it
    >>>> to the current thread.
    >>>>
    >>>>> Same questions with Windows Auth. I've used Windows Auth in some
    >>>>> legacy ASP apps and was able to determin security levels by a users
    >>>>> membership to domain groups. Does this provider work the same? How
    >>>>> do I read the security information?
    >>>>>
    >>>> Regardless of what AuthType you use - the IPrincipal which is
    >>>> accessible through Page.User or Context.User contains a IsInRole("")
    >>>> method to query role membership
    >>>>
    >>>> i have a full working example of FormsAuth on my blog - this should
    >>>> get you started..feel free to ask more questions after you looked at
    >>>> the code.
    >>>> http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f
    >>>> -98d0-bc8cfbec4c3a
    >>>>
    >>>>> Eh, PassPort is cool but I not necessary for me so I don't care
    >>>>> enough to ask.
    >>>>>
    >>>>> I've been reading through MSDN articles pertaining to these but my
    >>>>> questions can't seem to get answered with MS Docs. Any help and
    >>>>> clarity is greatly appreciated!
    >>>>>
    >>>>> Thanks!
    >>>>>
    >>>>> David Lozzi
    >>>>>

    >
    >
    >
     
    David Lozzi, Jul 21, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BS
    Replies:
    3
    Views:
    2,063
    Alvin Bruney [MVP]
    Jun 17, 2004
  2. sloan
    Replies:
    5
    Views:
    1,515
    sloan
    Jun 4, 2006
  3. sloan
    Replies:
    1
    Views:
    514
    Chad Scharf
    Jul 3, 2007
  4. karlman

    Forms based authentication provider

    karlman, Sep 3, 2007, in forum: ASP .Net
    Replies:
    3
    Views:
    484
    karlman
    Sep 3, 2007
  5. vcuankitdotnet
    Replies:
    3
    Views:
    2,259
    vcuankitdotnet
    Mar 19, 2008
Loading...

Share This Page