Hello I was building my own authentication system to my web application when I came across to various web sites showing how to do it with the ASP.Net login control, but they didn't
bother to explain how this control manages to store the user's login information in the user's computer to "auto authenticate" the user in the web site when the user returns to it and I was wondering how it is done. The only way that I figured is the way that
I'm doing my own security system that I'm afraid it's easily "hackable" once a hacker has the cookie which stores the codified login information and has some software that can emulate the same IP address from the user that had logged and generated that same
cookie. Is it the way that I’m doing secure enough? I’m not implementing the ASP.Net security system in my web Application straight ahead because it would make more difficult to manage the various privileges that one user has over another user which is altered
time to time like an election.
Thank you for enlighten me. Happy holydays.
As Heinlein said "specialization is for insects" explore beyond the universe.
This is the least hackable solution and is backed up by being long established and fully tested code.
You always run the risk of leaving a security hole in your site if you roll your own and also you lose the benefit of all the integration you can get from using the built in systems (createuserwizard, login controls, website admin section, roles etc).
You can fine grain your users permissions by using asp.net roles to restrict pages they can view and you can also take it a step further with other features (although they are a bit more tricky). Then you will be sure that you have a solid base to build
the rest off.
Marked as answer by rsegecin on Dec 23, 2009 08:55 PM
This is the least hackable solution and is backed up by being long established and fully tested code.
You always run the risk of leaving a security hole in your site if you roll your own and also you lose the benefit of all the integration you can get from using the built in systems (createuserwizard, login controls, website admin section, roles etc).
You can fine grain your users permissions by using asp.net roles to restrict pages they can view and you can also take it a step further with other features (although they are a bit more tricky). Then you will be sure that you have a solid base to build
the rest off.
hi there RPTHarry...
do u think formsauthentication is breakable...
cos as far as i've learned ...i know the tickets are generated and stored in the cookie in the encrypted format...
but still some guy on this forum told me...that it is not that secured..
Personally, I always opt for the "own security system".
It's way more interesting to hack a system being used by 1000s of blindly confident programmers than a unique system, for one web application...Depending on the configuration, it will probably be easier to hack something "standard", than "something else,
to be determined".
I'd rather take my own method than rely on something that someone else made for the masses when it comes to security.
Validation Complete
========== Build: 1 succeeded or up-to-date, 0 failed, 0 skipped ==========
I'll always mark your post(s) as answer when it is!
Marked as answer by rsegecin on Dec 23, 2009 08:51 PM
I believe this does not bear any sense out of context in which it was told
and out of comparison with available alternatives juxtaposed
on available resources (time, budget, objectives, needs, etc.)
ashish-1983
instead that guy uses windows authentication..
Can you give the link?
Was it mine
http://forums.asp.net/p/1505474/3572788.aspx#3574090
?
I did not speak about my solution.
I told that I have my home internet account from my ISP
where Windows Authentication is being used.
Neither solution is secure as long as you generate and pass around credentials.
In secure solutions there is neither access to reading of credentials not they are produced by software.
But everything whould be understood in its own context and in the interplay of many factors.
I can give you one example.
In WW2, Germans always destroyed 3-5 tanksof their enemies per each their tank lost.
But the winner was who produced 6 tanks per each their tank produced.
Gennady Vanin (Novosibirsk) -- Геннадий Ванин (Новосибирск) -- Guennadi Vanine
cos as far as i've learned ...i know the tickets are generated and stored in the cookie in the encrypted format...
but still some guy on this forum told me...that it is not that secured..
instead that guy uses windows authentication..
so wot do u think...which one is more secured...?
answer me this one...
i got one more...which is huge...!
Lets take a look at it:
If you rely on the existing, standardised technology then what are the facts?
Code has been built by security experts
Code has been scrutinized by thousands of developers
You save a bunch of development time
You can integrate with many of the other features of the language
You run a risk that a new hole could be exposed in the underlying technology
Hackers could use social engineering to trick people into giving out their passwords or by guessing them.
If you roll your own:
Code has been built be a beginner in the subject
Code has only be scrutinized by yourself
You have to both write the code initially and then maintain it over time
You wont be able to integrate into the asp.net features (unless you follow the asp.net provider model but I dont think thats what is being discussed here)
You will still be at risk if a security hole is found in the underlying technology
Hackers could still use social engineering / guessing of passwords
If you have a really high security website that you need to tighten security on then you can take the following measures with the built in asp.net security to tighten it up even further:
Put an ssl certificate on the login page / admin area
Strengthen the minimum password requirements to your own specification using a regex
Reduce the amount of failed attempts a user gets before being locked out
The question about windows auth is moot because its not an option for the general public, only where you have a closed audience such as an intranet where you can validate the login credentials against an active directory server.
Marked as answer by rsegecin on Dec 23, 2009 08:52 PM
I think that I'll do as rtpHarry suggested and get to know more about the built in asp.net authentication and use it even though it's tempting for me to build my own as the same reason
NNM exposed. genavam thank you the link you gave, proved everything.
Thank you all very much.
As Heinlein said "specialization is for insects" explore beyond the universe.
rsegecin
Member
232 Points
253 Posts
Your own security system vs ASP.Net's ...
Dec 23, 2009 11:30 AM|LINK
Hello I was building my own authentication system to my web application when I came across to various web sites showing how to do it with the ASP.Net login control, but they didn't bother to explain how this control manages to store the user's login information in the user's computer to "auto authenticate" the user in the web site when the user returns to it and I was wondering how it is done. The only way that I figured is the way that I'm doing my own security system that I'm afraid it's easily "hackable" once a hacker has the cookie which stores the codified login information and has some software that can emulate the same IP address from the user that had logged and generated that same cookie. Is it the way that I’m doing secure enough? I’m not implementing the ASP.Net security system in my web Application straight ahead because it would make more difficult to manage the various privileges that one user has over another user which is altered time to time like an election.
Thank you for enlighten me. Happy holydays.
rtpHarry
All-Star
56620 Points
8958 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 12:36 PM|LINK
Hey,
My advice is to definetly use the built in asp.net authentication, authorization and membership systems
This is the least hackable solution and is backed up by being long established and fully tested code.
You always run the risk of leaving a security hole in your site if you roll your own and also you lose the benefit of all the integration you can get from using the built in systems (createuserwizard, login controls, website admin section, roles etc).
You can fine grain your users permissions by using asp.net roles to restrict pages they can view and you can also take it a step further with other features (although they are a bit more tricky). Then you will be sure that you have a solid base to build the rest off.
ashish-1983
Contributor
4879 Points
1257 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 12:54 PM|LINK
hi there RPTHarry...
do u think formsauthentication is breakable...
cos as far as i've learned ...i know the tickets are generated and stored in the cookie in the encrypted format...
but still some guy on this forum told me...that it is not that secured..
instead that guy uses windows authentication..
so wot do u think...which one is more secured...?
answer me this one...
i got one more...which is huge...!
Gridview
Jquery
Asp.net
Fun !
NNM
Participant
1414 Points
559 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 01:49 PM|LINK
Personally, I always opt for the "own security system".
It's way more interesting to hack a system being used by 1000s of blindly confident programmers than a unique system, for one web application...Depending on the configuration, it will probably be easier to hack something "standard", than "something else, to be determined".
I'd rather take my own method than rely on something that someone else made for the masses when it comes to security.
========== Build: 1 succeeded or up-to-date, 0 failed, 0 skipped ==========
I'll always mark your post(s) as answer when it is!
guenavan
Contributor
4306 Points
1695 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 01:58 PM|LINK
He is rtpHarry
I believe this does not bear any sense out of context in which it was told
and out of comparison with available alternatives juxtaposed
on available resources (time, budget, objectives, needs, etc.)
Can you give the link?
Was it mine
http://forums.asp.net/p/1505474/3572788.aspx#3574090
?
I did not speak about my solution.
I told that I have my home internet account from my ISP
where Windows Authentication is being used.
Neither solution is secure as long as you generate and pass around credentials.
In secure solutions there is neither access to reading of credentials not they are produced by software.
But everything whould be understood in its own context and in the interplay of many factors.
I can give you one example.
In WW2, Germans always destroyed 3-5 tanksof their enemies per each their tank lost.
But the winner was who produced 6 tanks per each their tank produced.
ashish-1983
Contributor
4879 Points
1257 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 02:33 PM|LINK
that our guy was you...!
u said formsauthentication is not secure...
some times i feel like u r just bluffing man...
if forms authentication not secured then why ppl r using that crap...
that is the only reason i need to ask ppl man..
cos i'm using forms authentication in my project....
at least give me some proof which does make sense that formsauthentication is not secured..
Gridview
Jquery
Asp.net
Fun !
guenavan
Contributor
4306 Points
1695 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 03:25 PM|LINK
is accepted only in the form of going and break your system "cos u luv hackers.."?
Or it may be in some more pacific way?
rtpHarry
All-Star
56620 Points
8958 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 04:58 PM|LINK
Lets take a look at it:
If you rely on the existing, standardised technology then what are the facts?
If you roll your own:
If you have a really high security website that you need to tighten security on then you can take the following measures with the built in asp.net security to tighten it up even further:
The question about windows auth is moot because its not an option for the general public, only where you have a closed audience such as an intranet where you can validate the login credentials against an active directory server.
rsegecin
Member
232 Points
253 Posts
Re: Your own security system vs ASP.Net's ...
Dec 23, 2009 09:22 PM|LINK
I think that I'll do as rtpHarry suggested and get to know more about the built in asp.net authentication and use it even though it's tempting for me to build my own as the same reason NNM exposed. genavam thank you the link you gave, proved everything.
Thank you all very much.