Reputation: 1904
Authentication without using Forms Authentication
I am creating a personal website in which I would like users to register for. I have been looking up various security measures that need to be taken, and am curious as to what the main things I have to pay attention to. I have decided to not use ASP.NET Forms Authentication, primarily for the fun of creating the authentication process myself. Here is what I have done thus far:
- I have a MySQL Database where I am storing the user's login information such as a hash of their password and salt
Upon logging in, set a Session equal to their username -- which brings me to the question: Is this the best way to track a logged in user without using Forms Authentication? For example, setting the session would like something like this:
Session["User"] = username;
Is there a better way to go about tracking logged in users? Or is this an acceptable, yet still secure, way of handling things?
Upvotes: 2
Views: 1377
Answers (2)
Reputation: 3213
In my opinion a better way is to have user information in the encrypted cookie, that way your server does not need to keep track of each user in session. And it's more reliable than session. What you can do is to use only the mechanism for creating a secure authentication cookie from FormsAuthentication and use your own authorization for example.
public void OnLoginClick(object sender, EventArgs e)
{
if(MySqlValidUser(username, pass)) // this is where you would check if user is valid
{
FormsAuthentication.SetAuthCookie(username, null);
Response.Redirect("/");
}
}
That way if you have forms authentication enabled you can easily access User.Identity.Name or User.IsAuthenticated on your asp.net pages
<authentication mode="Forms" />
Upvotes: 1
Reputation: 124814
Is there a better way to go about tracking logged in users?
Microsoft designed Forms Authentication to use an encrypted cookie, with a cookieless fallback that uses querystring. So they obviously think it's a better way than using Session.
One advantage is that a User isn't automatically logged out if his Session is lost (timed out, but can also be lost if the application is recycled when using InProc Session - which is the default).
If you really want to "roll your own", I suggest you consider:
Writing a custom MembershipProvider, which will work with the FormsAuthentication infrastructure but enable you to learn something about the implementation details.
Or study the FormsAuthentication design, and attempt to replicate most of it (for example: you might omit support for cookieless authentication).
Upvotes: 1
Related Questions
- ASP.Net Login Authentication
- What alternatives are there for asp.net forms authentication?
- form Authentication
- ASP.NET Authentication
- authentication in asp.net
- How to use form authentication in ASP.Net?
- Windows Authentication and Forms Authentication
- Forms Authentication
- Avoid Authentication
- How to Implement ASP.Net Forms Authentication