Reputation: 1405
I have never really used this stack before and I just wanted to make sure that I am thinking along the right lines.
I have a WCF service with Windows authentication for transport security and certificate for message security with one TCP endpoint. My service has the methods to authenticate a plain text username and password, the username is used to retrieve the salt from the database and the given password hashed with that salt and then compared to the password from the database.
In order to authenticate users in my ASP MVC project, I am simply using forms authentication and setting the auth cookie if the WCF service returns http code OK when the username and password is passed from the action to the service.
If I implement necessary security measures such as locking accounts out after x number of unsuccessful requests for authentication to the service, does this serve as sufficient security to lock down my application?
This project is public facing.
Upvotes: 4
Views: 241
Reputation: 1832
Upvotes: 0
Reputation: 1067
I would highly suggest stepping away from the forms authentication when working with a WCF service or REST service. You can use BASIC authentication and wrap everything really nicely with SSL and it would be much better. A few things to really look at are the following:
After considering all of the above options, check out the following:
https://msdn.microsoft.com/en-us/library/ff406125.aspx
And when you think you have read enough, read a little more. OWASP best security practices for WCF are an awesome standard, you can even create a checklist from it.
https://www.owasp.org/index.php/WCF_Security_Best_Practices
Upvotes: 1
Reputation: 793
There are a variety of factors to consider.
Ensure you have the requireSSL flag set on your forms as well
Upvotes: 2