What is the most efficient/secure way to authenticate a web service in ASP.NET?

Question

Background:** We have an ASP.NET web app which exposes simple ASMX web services such as:

1. string GetOrders(string userName,string password,DateTime orderDate) : Return an XML string of customer orders based on the user (customer).

2. void UpdateOrders(string userName, string password, Guid orderGuid, string orderXml) : Update an order's data (from the XML Payload) based on the order's GUID.

Example:

WebServiceClient proxy = new WebServiceClient();
string xmlData = proxy.GetOrders("james","password",DateTime.Today);

My question is:

1. ALthough we use HTTPS: is this method actually save?
2. What will be a better alternative in ASP.NET?

Answer 1

Here is a similar thread covering some of these issues.

In general, even with a SSL connection, don't send passwords in clear text. A challenge response is a good way to secure your password, this is what many banks do as well. Basically send the user a timestamp or something similar that would vary depending on when you call the service. Then have the user respond with a hash of his password + the timestamp, this way even if the password hash is intercepted it cannot be used to access your service, since next time it is called the hash would need to be different.

Answer 2

1. The transmission of the credentials is safe since the connection and between the client and the server is encrypted. However, the content of the connection is not safe. If the SSL certificate were to break, or if somebody were to decrypt that traffic stream, the user name and password would essentially be in clear text.

How safe this is for you depends on the nature of the data and what is acceptable to you.

2. As an alternative, update the services to use WCF (Windows Communication Foundation). It has a far more robust set of ways to deal with authenticated and authorized communication for web services.