Cache Authentication vs Forms Authentication - Thoughts?

Discussion in 'ASP .Net' started by Rbrt, Nov 25, 2007.

  1. Rbrt

    Rbrt Guest

    I am developing a IIS 6.0 / ASP.NET 2.0 database driven web site that will be
    used for an in-house application with less than 1,000 potential users and
    which will probably never have more than a couple of hundred simultaneous
    users at any given time.

    While forms authentication provides good tools for handling security for the
    site, it is vulnerable to dedicated hackers who can sniff out cookies, or
    urls and hijack the site.

    I am consdiering using a cache-based authentication method in which I would
    instantiate a custom user class object to handles things like log ons, and
    store user information and which is then cached on the server with a sliding
    expiration using a key consisting of the user's IP address. Every time the
    user requests a page, the object can be retrieved from the cache. If it is
    not found in the cache, then a redirect at server is used to route them to
    the logon form. The advantage of course is that all of this is done on the
    server with no client side data dependency other than the IP address.

    Has anybody tried this? Anybody have any comments on what might be the
    pitfalls of such a scheme?

    Thanks for any input.

    Rbrt, Nov 25, 2007
    1. Advertisements

  2. Peter Bromberg [C# MVP], Nov 25, 2007
    1. Advertisements

  3. Rbrt

    Rbrt Guest

    Good point. The "in-house" includes field staff who travel widely in and
    outside of North America. The data is highly confidential and of considerable
    interest to my customer's competitors.
    Rbrt, Nov 25, 2007
  4. Peter Bromberg [C# MVP], Nov 25, 2007
  5. You're thinking that a "dedicated hacker" won't be able to spoof an IP

    Anyway, if you're keen on using IP, why not use regular forms auth then add
    logic to global.asax to query IP on each request and perform some logic?

    You should probably also check out OpenID.

    I don't really see a need to re-invent the wheel.
    Scott Roberts, Nov 26, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.