views:

104

answers:

4

I created a web service that I want to make more secure by using forms authentication. I added the following code:

    [WebMethod(Description = "Login function returns true for success and false for fail.", EnableSession = true)]
    public bool Login(string Username, string Password)
    {            
        return User.Validate(Username, Password);        
    }

My User.Validate function does all the authentication and works fine but I am not sure if it is secure passing the username and password to the web service. Is this any less secure than when a username and password field are submitted through a normal web form without SSL?

+1  A: 

Your web method is no less secure than a normal web form without SSL. Both are basic POST entries (you could make them GETs, but POST is most likely) that send their payload contents (Username, Password) in clear text.

Just a comment: not certain about your strategy of making your web service more secure by adding an authentication method that returns a simple boolean. Most authentication schemes will require the use of a session or authentication token that must be carried around by the client. In a web browser, this is automatic through cookies and such; it requires active management for most clients consuming a web service.

jro
Thanks thats pretty much what I thought. Everything should use ssl if I don't want it sent in clear text.BTW The webservice is to be consumed by a flash app. The boolean return is just to let it know if the user has been validated. the rest of the methods then check IsAuthenticated before returning anything.
Mike
A: 

Depends who you need to trust. Client, Transport and/or Server.

  • Client needs to know the password to enter, so not a real problem.
  • Transport can (and should) be encrypted using HTTPS - HTTP is not any good.
  • Server - do you trust the people running the server? Will users use the same passord on the server as in thier company (giving server owner possible password to try to attack you company account)?

    A good sanity check for security of the server is if you are offering a change password page or not. Any web-site that allows the user to change the password, will send the password over the line and it will be available in clear text on the server (can be encrypted on the way). This could be avoided, but I have yet to find a site that does it.

    Cheers,

Thies
+3  A: 

Is this any less secure than when a username and password field are submitted through a normal web form without SSL?

That's damnation with faint praise. Submitting a password without SSL really isn't secure.

Anyway, it seems like it might be a good idea to start with the basics. Does that article answer what I think is your actual question ("How should I do this correctly?")?

Craig Stuntz
A: 

Well, passing password is not secure if SSL is not used. Also, if the service is exposing multiple methods then user has to enter the username and password for every method call or the calling application has to persist this information in some place and might lead to other vulnerabilities.

To avoid all these problems and one of the right way to secure a service is to use something similar to the OAuth protocol. This protocol exchanges the username password for request token and then exchanges this request token for access token. Subsequent calls to the webservice will use the access token and not the username password.

Ramesh