ASP.NET Login & Security

Question

I am working on a new project for a client where we are going to be storing some important data online. I've been given an old access database which I converted to MS SQL and now I am wondering what kind of login & security I should use.

I'm going to run the site off SSL but I'm not 100% sure if I should go with Form Authentication or something different.

Any advice would be greatly appreciated.

score 2 · Answer 1 · answered Mar 28 '12 at 08:07

2

Forms Authentication is fine to work with SSL. Microsoft posted an article about the advantages of using SSL and Forms Authentication.

Help Secure Forms Authentication by using Secure Socket Layers (SSL)

answered Mar 28 '12 at 08:07

Neil Knight

47,437
25
129
188

Cheers for the link I'll check it out now! – bExplosion Mar 28 '12 at 08:11

Dominic Zukiewicz · Answer 2 · 2012-03-28T09:57:59.790

If you are going to work on an internal only application, using Windows Authentication. This will work out-of-the-box and requires only that you use:

<authentication mode="Windows"/>

If you want to use Forms Authentication, you can either build your own storage and encryption mechanism, which takes some work. Or add some tables to the database that allows ASP.NET to easily provide username, password and forgotten password functionality. This is achieved by running a command prompt tool that will add the necessary tables for you:

aspnet_regsql.exe

This will start a wizard that allows you to configure the features that you want to add to SQL Server.

To just add membership tables, by logging onto SQL as your logged in account use:

aspnet_reqsql.exe -S <server> -D <database> -A m -E

Or if you want to connect as a specific user, use:

aspnet_reqsql.exe -S <server> -D <database> -A m -U <username> -P <password>

Here is a link to a tutorial on how to use Forms Authentication with SQL Server in ASP.NET 2.0. Being ASP.NET 2.0, it looks out of date but it is the same in any version of ASP.NET V2 and upwards.

score 1 · Answer 3 · answered Mar 28 '12 at 08:08

1

If you're running this on the public internet then definitely use SSL to encrypt membership-related transactions. The "cost" of using SSL is low - the risk from Packet-sniffing and Firesheep-like tools can be very high.

Basic auth is OK, but I'd be tempted to go with Forms Auth just because you can control the signup and login experience - guidance for users, CAPTCHA etc...

answered Mar 28 '12 at 08:08

stephbu

5,072
26
42

Thanks for the reply! Forms seems to be the best way! – bExplosion Mar 28 '12 at 08:10

score 1 · Answer 4 · edited May 23 '17 at 10:34

Yes go with the Form Authentication as the first part of the security. Why ? because all this kind of logins are base on a cookie, and the basic idea is implemented very good by form authentication.

Now, you need to add extra measure to protect your data, like.

Be sure that you setup correct the form Authentication - ref: Can some hacker steal the cookie from a user and login with that name on a web site?
Keep all logins from the user together with IPs and other information and make a pattern to recognize that something is going wrong. ref: https://stackoverflow.com/a/9645770/159270
Add extra security password for some critical actions.
Add and use different level of security.
Except the Authentication form, for the administrators add extra security test for login, a test that you can find and must been known only inside from the high permission persons.

score 0 · Answer 5 · answered Mar 28 '12 at 08:16

0

Form authentication is best for this scenario. Please refer to the following link for using form authentication with ssl.

Protect Forms Authentication in ASP.NET

More Secure Sites with ASP.NET

answered Mar 28 '12 at 08:16

Ashwini Verma

7,477
6
36
56

ASP.NET Login & Security

5 Answers5