Best Authentication Provider

D

David Lozzi

Howdy,

I've written a few apps already and I have done custom authentication like
so: prompt for user name and password, verify information against SQL table,
then load returned username, ID, security, etc. into session state. This
works and frankly I'm not sure why i'm posting this except for that I want
to be 'correct' in my apps.

I notice .Net supports Authentication Modes. Which is the better one to use?
I have a basic understanding of each provider and it appears that the Forms
Authentication Provider is the preferred method? Using Forms, how do I
specify the database table in SQL to use? Also, once validated, it loads the
user information into a cookie for later retrieval. Can I load more
information into this cookie, like custom security levels, etc. Currently, I
basically have a range from 1 through 10 specifying security levels, will
this still work or does Forms process security itself?

Same questions with Windows Auth. I've used Windows Auth in some legacy ASP
apps and was able to determin security levels by a users membership to
domain groups. Does this provider work the same? How do I read the security
information?

Eh, PassPort is cool but I not necessary for me so I don't care enough to
ask.

I've been reading through MSDN articles pertaining to these but my questions
can't seem to get answered with MS Docs. Any help and clarity is greatly
appreciated!

Thanks!

David Lozzi
 
D

Dominick Baier [DevelopMentor]

Hello David,

inline

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Howdy,

I've written a few apps already and I have done custom authentication
like so: prompt for user name and password, verify information against
SQL table, then load returned username, ID, security, etc. into
session state. This works and frankly I'm not sure why i'm posting
this except for that I want to be 'correct' in my apps.

I notice .Net supports Authentication Modes. Which is the better one
to use? I have a basic understanding of each provider and it appears
that the Forms Authentication Provider is the preferred method? Using
Forms, how do I specify the database table in SQL to use? Also, once
validated, it loads the user information into a cookie for later
retrieval. Can I load more information into this cookie, like custom
security levels, etc. Currently, I basically have a range from 1
through 10 specifying security levels, will this still work or does
Forms process security itself?

You do that manually - you have to provide a login page - and handle the
login button click event - then you go to a datastore and validate credentials.
The authentication cookie contains a 'UserData' field where you can store
arbitrary additional information, e.g. Roles or what you call Security Levels.
Upon each request then you create a IPrincipial implementation and attach
it to the current thread.
Same questions with Windows Auth. I've used Windows Auth in some
legacy ASP apps and was able to determin security levels by a users
membership to domain groups. Does this provider work the same? How do
I read the security information?

Regardless of what AuthType you use - the IPrincipal which is accessible
through Page.User or Context.User contains a IsInRole("") method to query
role membership

i have a full working example of FormsAuth on my blog - this should get you
started..feel free to ask more questions after you looked at the code.
http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a
 
D

David Lozzi

Thank you for your help! It helped a lot. I got my sample app here:

users are redirected to login.aspx. After entering username and password,
formsauthentication is taken care of and cookies and all that stuff. After
this is happy, it then redirects the user to default.aspx, at which point I
can pull the user's username (context.user.identity.name).

I can't seem to figure out how to pull the remaining information about the
user, security level, full name, email addy, etc. This is usually stored in
a session state but I see no session info in this. I can think of one
possible solution, and that would be to query the database everytime I
needed this information. Is this a good idea? Is this better than a session
state?

Thanks!

David Lozzi
 
D

David Lozzi

I said I can't seem to pull the other data, that is because I can't seem to
add it.
 
D

Dominick Baier [DevelopMentor]

Hello David,

you could stuff them in the cookie (see my SetAuthCookie method) - but keep
in mind that a cookie is limited to 4KB)

System.Web.Cache would be another option...
 
D

David Lozzi

So is using the session state not a good idea any more? I am so use to using
it as I have been for the past 5 years in all of my ASP/.Net apps. What are
the down sides to using session state? I am going to repost this quesiton
for a broader discussion. Thanks for your help!

David Lozzi


Dominick Baier said:
Hello David,

you could stuff them in the cookie (see my SetAuthCookie method) - but
keep in mind that a cookie is limited to 4KB)

System.Web.Cache would be another option...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I said I can't seem to pull the other data, that is because I can't
seem to add it.

Thank you for your help! It helped a lot. I got my sample app here:

users are redirected to login.aspx. After entering username and
password, formsauthentication is taken care of and cookies and all
that stuff. After this is happy, it then redirects the user to
default.aspx, at which point I can pull the user's username
(context.user.identity.name).

I can't seem to figure out how to pull the remaining information
about the user, security level, full name, email addy, etc. This is
usually stored in a session state but I see no session info in this.
I can think of one possible solution, and that would be to query the
database everytime I needed this information. Is this a good idea? Is
this better than a session state?

Thanks!

David Lozzi

"Dominick Baier [DevelopMentor]"

Hello David,

inline

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Howdy,

I've written a few apps already and I have done custom
authentication like so: prompt for user name and password, verify
information against SQL table, then load returned username, ID,
security, etc. into session state. This works and frankly I'm not
sure why i'm posting this except for that I want to be 'correct' in
my apps.

I notice .Net supports Authentication Modes. Which is the better
one to use? I have a basic understanding of each provider and it
appears that the Forms Authentication Provider is the preferred
method? Using Forms, how do I specify the database table in SQL to
use? Also, once validated, it loads the user information into a
cookie for later retrieval. Can I load more information into this
cookie, like custom security levels, etc. Currently, I basically
have a range from 1 through 10 specifying security levels, will
this still work or does Forms process security itself?

You do that manually - you have to provide a login page - and handle
the login button click event - then you go to a datastore and
validate credentials. The authentication cookie contains a
'UserData' field where you can store arbitrary additional
information, e.g. Roles or what you call Security Levels. Upon each
request then you create a IPrincipial implementation and attach it
to the current thread.

Same questions with Windows Auth. I've used Windows Auth in some
legacy ASP apps and was able to determin security levels by a users
membership to domain groups. Does this provider work the same? How
do I read the security information?

Regardless of what AuthType you use - the IPrincipal which is
accessible through Page.User or Context.User contains a IsInRole("")
method to query role membership

i have a full working example of FormsAuth on my blog - this should
get you started..feel free to ask more questions after you looked at
the code.
http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f
-98d0-bc8cfbec4c3a

Eh, PassPort is cool but I not necessary for me so I don't care
enough to ask.

I've been reading through MSDN articles pertaining to these but my
questions can't seem to get answered with MS Docs. Any help and
clarity is greatly appreciated!

Thanks!

David Lozzi
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top