C# 4 ASP.net *NON MVC* Custom Authentication

Question

I know this question as been asked countless times, but believe me I've searched Google for hours and got nothing. Whatever is out there, it's for MVC, which I'm not using.

My requirement is simple. I do not want to use the default authentication provided in asp.net. I would store the username/password/role in my custom SQL Server table. I'll provide 2 inputs for username/password and a button to validate. On validation, he is allowed access to the admin areas. This will only be used by admin guys at my subdomain "admin.*.com". They will use this page to add content to the website on daily basis.

1. How do I implement it. A tutorial link would suffice.
2. Is it safe for Production? I don't want some newbie hacker getting in to my site and mess it up. If not safe, what else option do I have.

Thanks, Dev

Answer 1

Writing a custom authentication handler is very dangerous. There are many ways to get it wrong and leave your website vulnerable to attack.

I also understand your complaint that Forms Authentication is extremely complicated. I was faced at a similar cross roads and decided to build my own authentication system called FSCAuth. It's BSD licensed. It's designed to be super simple and to allow for just about any database format you can image. All that must be done to set it up is implement a small 4 function interface into your database and populate a few configuration fields.

Answer 2

As per our comments, given your reluctance to implement an ASP.Net Membership provider (and it is worth the time to investigate - you may not feel that it is right now, but it can be handy. I felt the same way at first, but the cost of maintaining your own code and infrastructure soon proves to be false economy) you have at least two other choices:

1) Straightforward Forms Authentication

Put all of your admin pages under a single folder, for example, /Admin, then use Forms Authentication to protect access to this folder. Only users defined in the database or Web.Config will have access to these pages. This is less flexible than ASP.Net membership, but may give you most of what you want. In terms of security, this will be as secure as your website is, is well tested, and is well documented.

2) Use Facebook OAuth

You mentioned that your use has access to Facebook. You could use Facebook to do the authentication for you. Although you wont be able to grab the username and password, you can get a token back, that you can then validate against a known permission set. This is a lot more work than 1) though and will tie you to potential future changes in the Facebook API. However, it also benefits from being well tested, and secure, but you have little to no control over the actual user information.

As an aside, please also consider being nicer to Google!

Answer 3

Here is an example how to LDAP authentication using ASP.NET 1.1. The logic may still be applicable or can be adapted to later versions of ASP.NET, although I have not tested it.

Using the built-in membership providers, or implementing your own, is no guarantee that a hacker can't get access to your system. Things you'll have to consider:

1. encrypting data between client and server
2. don't store passwords in the database, not even encrypted. Hash each password its own salt, if you can.
3. enforce strong password entropy.
4. make sure session and authorization cookies are marked HttpOnly and Secure
5. for admin passwords, have a policy to change them frequently (like once a month)
6. provide means to notify administrators when someone signs in to their accounts
7. temporarily lock out ip address who exceeds number of requests per second and failed to authenticate
8. temporarily lock out users when they enter their password more then x (e.g. 10) number of times in an y number of minutes (e.g. 10).

These are just a handful of things to look for. You'll also have to concern yourself with session highjacking, javascript attacks and so forth.

Its not a trivial matter.

Answer 4

You can create your own custom membership provider which has the features you are looking for.asp.net membership provider

Its best to use the tried and tested method for security purposes. Remember you can customise any providers including role providers or even create your own unique providers.