Reputation: 1405
ASP Forms Authentication with WCF?
I have never really used this stack before and I just wanted to make sure that I am thinking along the right lines.
I have a WCF service with Windows authentication for transport security and certificate for message security with one TCP endpoint. My service has the methods to authenticate a plain text username and password, the username is used to retrieve the salt from the database and the given password hashed with that salt and then compared to the password from the database.
In order to authenticate users in my ASP MVC project, I am simply using forms authentication and setting the auth cookie if the WCF service returns http code OK when the username and password is passed from the action to the service.
If I implement necessary security measures such as locking accounts out after x number of unsuccessful requests for authentication to the service, does this serve as sufficient security to lock down my application?
This project is public facing.
Upvotes: 4
Views: 241
Answers (3)
Reputation: 1832
- use HTTPS
- Add CAPTCHA Code in the MVC project
- Add time span between retry, limit the retry times
- do not use plain text, encode it first, even md5 will be better
- if this in on the internet, you'd better find an expert
Upvotes: 0
Reputation: 1067
I would highly suggest stepping away from the forms authentication when working with a WCF service or REST service. You can use BASIC authentication and wrap everything really nicely with SSL and it would be much better. A few things to really look at are the following:
- How do you plan on dealing with brute force attempts.
- How do you plan on legitmate users locking themselves out.
- What OSes do you plan on targeting? Are you creating a WCF service for a web
site or do you plan on utilizing IOS and Android later?
After considering all of the above options, check out the following:
https://msdn.microsoft.com/en-us/library/ff406125.aspx
And when you think you have read enough, read a little more. OWASP best security practices for WCF are an awesome standard, you can even create a checklist from it.
https://www.owasp.org/index.php/WCF_Security_Best_Practices
Upvotes: 1
Reputation: 793
There are a variety of factors to consider.
- Can the domain for the WCF service be hijacked and DNS re-routed?
- How are errors handled in the WCF service. It is possible a OK status could be returned in the event of an error?
- Salts are OK but I would recommend something like BCRYPT instead for password storage and validation.
Ensure you have the requireSSL flag set on your forms as well
Upvotes: 2
Related Questions
- Authentication and Authorization of an MVC client application throgh WCF service?
- Forms Authentication for WCF
- ASP.NET with WCF Windows Authentication
- ASP.NET authentication from a Windows Forms application
- Asp.net mvc4 authentication through WCF
- MVC3 Application using Forms Authentication consuming WCF in other solutions
- Custom ASP.NET Forms Authentication Service with WCF
- WCF/ASP.NET Authentication
- WCF Service using ASP.NET Forms Authentication
- Authenticating a user via wcf