Implementing Security - Advice Please

[frank]

I am in the process of writing a fairly large ASP.NET web application and I
am about to implement log-ons, permissions etc. I have never used any
security with ASP.NET before; only classic ASP.

I would like to base my user's logon information and permissions on their
domain account. What is the best way to do this? Can web-based forms
communicate with the domain users accounts? What about storing session
information - how do we do this? Is there any recommended techniques for
implementing this sort of security? Can anyone point me to any articles
relating to this subject?

Any help will be gratefully appreciated.

 

[John Saunders]

I am in the process of writing a fairly large ASP.NET web application and I
am about to implement log-ons, permissions etc. I have never used any
security with ASP.NET before; only classic ASP.

I would like to base my user's logon information and permissions on their
domain account. What is the best way to do this? Can web-based forms
communicate with the domain users accounts? What about storing session
information - how do we do this? Is there any recommended techniques for
implementing this sort of security? Can anyone point me to any articles
relating to this subject?

You don't say whether or not this is an Intranet application. If it is, then
you can use Windows Authentication.

A good starting point is the following article on MSDN: Authentication in
ASP.NET: .NET Security Guidance
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html
/authaspdotnet.asp).

 

[frank]

and

You don't say whether or not this is an Intranet application. If it is, then
you can use Windows Authentication.

It's primarily an Intranet application, although it may be available in the
future on the Internet.

A good starting point is the following article on MSDN: Authentication in
ASP.NET: .NET Security Guidance
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html
/authaspdotnet.asp).

Thanks.

 

[John Saunders]

It's primarily an Intranet application, although it may be available in the
future on the Internet.

Ok, keep in mind that Windows Authentication can work over the Internet.
"Windows Authentication" really means "IIS Authentication", and IIS does
support Basic Authentication which requests a username/password. Do this
over SSL and you should be ok.

 

[frank]

Ok, keep in mind that Windows Authentication can work over the Internet.
"Windows Authentication" really means "IIS Authentication", and IIS does
support Basic Authentication which requests a username/password. Do this
over SSL and you should be ok.

Is Windows Authentication based on the Domain user accounts?

 

[Luther Miller]

I wrote a useful hands-on article about implementing security within
an ASP.NET application for the September/2003 issue of Windows
Developer - "Quick ASP.NET Security". You can download it for free if
you register at the site, and I think you will find it useful. It
builds upon the basics of ASP.NET security; it's not just
regurgitation of the .NET Framework docs:
http://www.windevnet.com/wdn/articles/2003/0309/