I am designing ASP.NET website for Intranet users. At the end of Phase-I this will be available to Intranet users.
But after Phase-II, the same site needs to be opened to certain users that are outside this office.
Can I can use ASP.NET Membership provider?
Any other design recommendations?
I appreciate your input.
This is what I would do.
I would use ASP.net MembershipProvider and use SQL server to store it.
Create roles (internal user and external user)
I would use high encryption for passwords for all users
user roles to limit the information external users can see
Yes, you can use the ASP.Net membership provider to allow external users to register and login to the site. Using this would ensure that the passwords are hashed with a salt and encrypted, thus making the user data more secure. The ASP.Net membership provider has a huge API set which might be confusing for developers, among other things. There is a simplified membership provider which is available in the WebMatrix suite called SimpleMembershipProvider, which is available in the WebMatrix.WebData namespace. This gives just enough API needed to create, manage, authenticate and authorize external users.
It depends on what you mean by "outside this office". You can use the ASP.NET membership classes with any sort of provider that may suite your needs. Do you mean by intranet users, that you want the users to be able to sign in to your web site with their windows domain account?
Generally you can use the SqlMembershipProvider to authenticate users against a SQL Server dabase with a given set of tables using the ASP.NET login controls. If you want to use the login controls and but want users to be able to login using their windows account you can use the ActiveDirectoryMembershipProvider. If none of the above is suitable for you, there's always the option to implement a custom provider.
Related
I have multiple websites and a Windows app that share the same database. Is there a way that I can manage the database username and password across all web.configs and app.configs? I'd like to be able to change the username and password, and then have all websites and apps use the new name. Is there something that I can use that will automate this? I currently store the username and password in a connection string.
You may have to write some custom code in your Windows app to support it, but ASP.NET Membership will let you share usernames and passwords among multiple apps.
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
ASP.NET membership supports facilities for:
Creating new users and passwords.
Storing membership information (user names, passwords, and supporting
data) in Microsoft SQL Server, Active Directory, or an alternative
data store.
Authenticating users who visit your site. You can authenticate users
programmatically, or you can use the ASP.NET login controls to create
a complete authentication system that requires little or no code.
Managing passwords, which includes creating, changing, and resetting
them . Depending on membership options you choose, the membership
system can also provide an automated password-reset system that takes
a user-supplied question and response.
Exposing a unique identification for authenticated users that you can
use in your own applications and that also integrates with the ASP.NET
personalization and role-management (authorization) systems.
Specifying a custom membership provider, which allows you to
substitute your own code to manage membership and maintain membership
data in a custom data store
Also, see this SO question for some additional info.
Keep the user name and password in the registry.
Build the connection string on the fly using a class
All web sites and Apps should have the same class
By the way, the registry is more secure than the web config.
I am using Asp.Net/C# and Visual Studio 2008 to build an application.Right now I want to create a login page for my application , I would like to ask you guys , what would be the best approach to it.Should I go with Forms Authentication in Asp.Net or Should I try looking at Ajax Login with Asp.Net.Which would be more appropriate.If possible please let me know some of the pros and cons of the approaches.Also could anyone suggest me some links for a good starting point.
Any suggestions are most welcome.
Thanks
I think you have to go for Forms Authentication. below is advantages of it.
1) users do not have to be member of a domain-based network to have access to your application.
2) Web applications, particularly commercial sites where customers order products, want to have access to user information. Forms authentication makes these types of applications easier to create.
3) Keep personalization cookies that contain user-specific preferences and non-sensitive data separate from authentication cookies.
4)Consider reducing the cookie lifetime to reduce the time window in which an attacker can use a captured cookie to gain access to your application with a spoofed identity.
List the steps to use Forms authentication in a web application?
1.Set the authentication mode in Web.config to Forms.
2.Create a Web form to collect logon information.
3.Create a file or database to store user names and passwords.
4.Write code to add new users to the user file or database.
5.Write code to authenticate users against the user file or database.
Hope this info is helpful to you make decision
Use OAuth for login.
It has ASP.net binding too..
http://oauth.net/code/
Question is:
LDAP authentication required
Internal users automatically authenticated, external users requires login
Where do I store complex access control rights?
In the AD/LDAP or in the Application itself (asp.membership db).
What is your experience and best practices suggestion?
Looking to build this in asp.net mvc 2 and using membership features, so best practice here i guess is that we roll our own custom provider to acomplish this...
I would have to say the best approach to this would be to adopt single sign on using membership login, but then implement your own access control for fine grained application access rights internally in your own system.
Scenario: An intranet ASP.Net application using Integrated Windows Authentication and a SqlRoleProvider for authorization. The application is used by a small subset of users within the domain.
If there are only a few users within the domain that should be able to access the application, can IWA be narrowed to allow authentication for that subset of users only, say via a domain group? Is this possible or even logical? This would certainly be the case if you predefined user accounts and used forms authentication. I understand that you can manage authorization within the application but wonder if the above is possible to add some security in depth. Appreciate your thoughts.
With anonymous access disabled, you can set the NTFS permissions on the web application directory to let only specific users in.
IWA will authenticate all valid users. But you can do the following,
allocate the subset of users into a group, and use role rrovider for them. Then you can allow only this group to use the application.
Or use forms authentication instead and write your own membership provider to authenticate users. Then you have all the controls and can block unwanted users.
You can also try some of the more traditional authorization techniques I outlined here:
Is it possible to restrict windows authenticated users in an ASPNet app to specific domains?
Other than forms authentication, what are other common forms of authentication that an application should ideally support?
Is it just active directory or is LDAP a must also?
Generally, you only need to support one kind of authentication.
With forms authentication, you have to provide a database table containing user names and passwords. And you should provide the ability for users to change their passwords, etc. This is all made easier with the Membershp provider.
If you have the option of using Active Directory or another LDAP, that removes the burden from you of establishing logins and maintaining them. If that choice is available to you, I'd recommend using it.
Likely you only want to support one form of authentication. Here are a couple other than Forms authentication that you can use.
Windows Authentication: http://msdn.microsoft.com/en-us/library/ms998358.aspx
OpenId: http://www.eggheadcafe.com/tutorials/aspnet/4b3c7c9b-fe80-4e6e-a34e-0e9efed5c575/integrate-openid-authenti.aspx