Jacob Mason
Jacob Mason

Reputation: 1405

ASP Forms Authentication with WCF?

I have never really used this stack before and I just wanted to make sure that I am thinking along the right lines.

I have a WCF service with Windows authentication for transport security and certificate for message security with one TCP endpoint. My service has the methods to authenticate a plain text username and password, the username is used to retrieve the salt from the database and the given password hashed with that salt and then compared to the password from the database.

In order to authenticate users in my ASP MVC project, I am simply using forms authentication and setting the auth cookie if the WCF service returns http code OK when the username and password is passed from the action to the service.

If I implement necessary security measures such as locking accounts out after x number of unsuccessful requests for authentication to the service, does this serve as sufficient security to lock down my application?

This project is public facing.

Upvotes: 4

Views: 241

Answers (3)

neohope
neohope

Reputation: 1832

  • use HTTPS
  • Add CAPTCHA Code in the MVC project
  • Add time span between retry, limit the retry times
  • do not use plain text, encode it first, even md5 will be better
  • if this in on the internet, you'd better find an expert

Upvotes: 0

Kevin B Burns
Kevin B Burns

Reputation: 1067

I would highly suggest stepping away from the forms authentication when working with a WCF service or REST service. You can use BASIC authentication and wrap everything really nicely with SSL and it would be much better. A few things to really look at are the following:

  • How do you plan on dealing with brute force attempts.
  • How do you plan on legitmate users locking themselves out.
  • What OSes do you plan on targeting? Are you creating a WCF service for a web
    site or do you plan on utilizing IOS and Android later?

After considering all of the above options, check out the following:

https://msdn.microsoft.com/en-us/library/ff406125.aspx

And when you think you have read enough, read a little more. OWASP best security practices for WCF are an awesome standard, you can even create a checklist from it.

https://www.owasp.org/index.php/WCF_Security_Best_Practices

Upvotes: 1

timkly
timkly

Reputation: 793

There are a variety of factors to consider.

  1. Can the domain for the WCF service be hijacked and DNS re-routed?
  2. How are errors handled in the WCF service. It is possible a OK status could be returned in the event of an error?
  3. Salts are OK but I would recommend something like BCRYPT instead for password storage and validation.
  4. Ensure you have the requireSSL flag set on your forms as well

Upvotes: 2

Related Questions