Cache Authentication vs Forms Authentication - Thoughts?

  • Thread starter Thread starter Rbrt
  • Start date Start date
R

Rbrt

I am developing a IIS 6.0 / ASP.NET 2.0 database driven web site that will be
used for an in-house application with less than 1,000 potential users and
which will probably never have more than a couple of hundred simultaneous
users at any given time.

While forms authentication provides good tools for handling security for the
site, it is vulnerable to dedicated hackers who can sniff out cookies, or
urls and hijack the site.

I am consdiering using a cache-based authentication method in which I would
instantiate a custom user class object to handles things like log ons, and
store user information and which is then cached on the server with a sliding
expiration using a key consisting of the user's IP address. Every time the
user requests a page, the object can be retrieved from the cache. If it is
not found in the cache, then a redirect at server is used to route them to
the logon form. The advantage of course is that all of this is done on the
server with no client side data dependency other than the IP address.

Has anybody tried this? Anybody have any comments on what might be the
pitfalls of such a scheme?

Thanks for any input.

Robert
 
Good point. The "in-house" includes field staff who travel widely in and
outside of North America. The data is highly confidential and of considerable
interest to my customer's competitors.
 
You're thinking that a "dedicated hacker" won't be able to spoof an IP
address?

Anyway, if you're keen on using IP, why not use regular forms auth then add
logic to global.asax to query IP on each request and perform some logic?

You should probably also check out OpenID.

I don't really see a need to re-invent the wheel.
 
Back
Top