Authentication Question

[Jenna Simmer]

Hello. I'm new to .NET and I have a question regarding authentication and authorization
I am using forms authentication (because user names and passwords are stored in an Oracle db) to provide logon functionality, then I'm using a session User object (custom-made) to which I set a isAuthenticated flag. On "members-only" pages I check the isAuthenticated flag to determine if the user is authenticated or not before displaying the page
If requirements impose a restriction on using cookies, is this considered a bad design or not? If yes, then why so
What other options do I have for cookieless authentication
I would appreciate any kind of help
Thank
Jenna

 

[avnrao]

Forms authentication works on cookie authentication. If you donot want to
use cookies, go for windows authentication which would not make sense on
internet.

Av.

 

[Jenna Simmer]

Thanks for the reply, but I'm confused: should I use forms/cookies or windows authentication
I'm starting to become very concerned. Everything that I read on the Internet about authentication involves some forms/cookies implementation, and that I cannot use. I don't think I can use windows authentication since the member's data is stored in an Oracle database
I always thought that custom authentication (without cookies) should be a somewhat common practice; I haven't found anything like this yet and I'm worried about my design: maybe there is a simple way of breaking my application that I haven't even thought of
I would appreciate any comments from anyone on this topic
Thank you
J

 

[Rick Spiewak]

I think you're safe storing the authentication status in session state. This
should work fine. I use it in the admin section of an e-commerce web site.

Hello. I'm new to .NET and I have a question regarding authentication and authorization.
I am using forms authentication (because user names and passwords are

stored in an Oracle db) to provide logon functionality, then I'm using a
session User object (custom-made) to which I set a isAuthenticated flag. On
"members-only" pages I check the isAuthenticated flag to determine if the
user is authenticated or not before displaying the page.

If requirements impose a restriction on using cookies, is this considered

a bad design or not? If yes, then why so?

 

[Hammad Rajjoub]

Hello,
A custom made user passport like object in a session should do the required job and there isnt any security problem with it. I am also using a similar technique in a banking application
regards
Hammad.Rajjoub

----- Jenna Simmer wrote: ----

Thanks for the reply, but I'm confused: should I use forms/cookies or windows authentication
I'm starting to become very concerned. Everything that I read on the Internet about authentication involves some forms/cookies implementation, and that I cannot use. I don't think I can use windows authentication since the member's data is stored in an Oracle database
I always thought that custom authentication (without cookies) should be a somewhat common practice; I haven't found anything like this yet and I'm worried about my design: maybe there is a simple way of breaking my application that I haven't even thought of
I would appreciate any comments from anyone on this topic
Thank you
J

 

[Jenna Simmer]

Thanks to everyone for their answers
J