Reputation: 5451
ASP.NET Specific user authentication
Let me describe my situation:
We are developing a web application that creates websites.
Each website it creates is saved in the DB with all it's additional information.
When a client is browsing to one of these websites he's actually browsing the root application, and with the Website ID we know which data to send to the client in which layout- but all comes from the main root web application.
I wish to create a user management & authentication for this system, FOR EACH WEBSITE.
The idea I came with:
Create in the DB Users table that will have a WebsiteID column.
About the authentication, I planned to create some manual functions, that in each user login success, the system creates a cookie in the client's machine with the WebsiteId, and a random GUID that will be saved in our DB for safety issues (if there was no GUID, a client could manually create a cookie with the websiteId and hack out system).
This is how I planned doing it with the HttpCookie class:
// int websiteId -> the current website id.
// int userId -> the user id from the DB.
HttpCookie cookie = new HttpCookie("WebsiteAuthentication" + websiteId);
cookie.Values["WebsiteId"] = websiteId.ToString();
cookie.Values["UserId"] = userId.ToString();
cookie.Values["Guid"] = "SOME_RANDOM_GUID";
When I will need to check if the current user is authenticated, I will compare the clients cookie (if exists) and the cookie's GUID vs the GUID is saven in the applications' DB.
Is this a good way to solve my issue? Is it protected and safe enough?
I'll be happy to know what you say about it, maybe i'm totally off-course...
Hope I was understandable. Thanks all,
Gal
Upvotes: 1
Views: 146
Answers (2)
Reputation: 15076
As CD says (and I wrote in my comment) you can use Membership to obtain what you want.
But you have a problem regarding the application id, since the id is specified in the web.config and thus global to the application. This means you will not directly be able to handle different applications.
It seems that you are able to inherit from one of the standard membership providers (the SqlMembershipProvider is probably closest to your needs), and from the ineheriting class you are able to set the ApplicationName. But you will of course get into troubles with threading unless you lock the entire statements after setting the applicationname in which case you will get into trouble with performance.
Un the other hand you get the database structure, passwords stored as seeded hashes and a bunch other security best practices given by the membership provider, so I would still recommend using the SqlMembershipProvider; but you might need to do some more clever subclassing or eventually just implement the interface and use composition to initialize a membership provider per sub application where the applicaiton name is set correctly.
Upvotes: 0
Reputation: 74126
I think you should be using the Membership provider (you can create a custom implementation if you need).
You really should be using FormsAuthentication.SetAuthCookie for creating the cookie.
Upvotes: 1
Related Questions
- ASP.NET Windows Authentication
- User authentication in asp.net or mvc
- User authentication for web application
- Adding specific authentication in an ASP.NET project
- ASP.NET authentication
- Asp.net user authentication and authorization
- custom authentication in asp.net
- Authetication system for 1 user - asp.net
- asp.net windows authentication
- ASP.NET authentication options