ASP.NET Authentication and Windows Authentication

Discussion in 'ASP .Net Security' started by Fabio Gouw, Nov 15, 2004.

  1. Fabio Gouw

    Fabio Gouw Guest

    Hello,

    I'm developing a web application that will run on an Intranet. I'll use
    Windows Authentication, so users can access the application without the need
    of filling out a login page.

    According which user is using the web app, he/she'll have a dinamic menu,
    built with the pages he/she can access. This information is stored in a SQL
    Server DB, where each user has his/her permissions.

    My question is how can I bind the information on Users table with the user
    who is accessing the web app, and how to make it secure.

    First I thought to use User.Identity.Name property, so I can put an
    "domain\login" column on Users table, but it doesn't sound secure... (Am I
    right?)

    Does anyone have a suggestion?

    Thanks
     
    Fabio Gouw, Nov 15, 2004
    #1
    1. Advertisements

  2. Fabio Gouw

    Ken Schaefer Guest

    What do you mean by "isn't secure"? Secure against what?

    Sounds like a decent idea to me. Whilst hiding usernames is probably a good
    idea, authentication relies on "something I know" (password) or "something I
    have" (smart card) (or combinations - multifactor authentication). So, the
    trick is keeping the password secure - because that's the "secret" rather
    than the username.

    Cheers
    Ken
     
    Ken Schaefer, Nov 16, 2004
    #2
    1. Advertisements

  3. Fabio Gouw

    Ken Schaefer Guest

    As an addendum, if you don't want to store the usernames in cleartext in the
    database, you could use a one-way hashing function (MD5?) to generate a hash
    of the username. Do the same in your code to the username presented by the
    client, and compare that with what's in the database. That way, anyone who
    does get access to the database can not determine which username is which
    (except perhaps through deduction by looking at which users have which
    permissions)

    Cheers
    Ken
     
    Ken Schaefer, Nov 16, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.