tags:

views:

183

answers:

1
+1  Q: 

ASP.NET sessions and custom authentication

I'm building a web site that will acts as a client to a persistant server process. ASP.NET will communicate with the server using .NET Remoting. The server is used by other clients as well (thick WPF clients and automated processes) and already has methods for password based authentication, authorization and sessions. The way I intend to build this is to require an ASP.NET session for all pages, and keep a remoted object in the server side session state that corresponds to a session in the backend server. I'll build a login page that passes on the credentials to the remoted session object which will keep track of the authentication status of the session. I hope all that made sense. Two questions:

  • Is it safe to rely only on the ASP.NET session to ensure that a request is authenticated, or do I need to add some authentication cookie on top of this as well? The site will contain sensitive material and all pages will require HTTPS, so the session key should not be possible to pick up by a third party (at least not more so than an authentication cookie).

  • How do I incorporate this with the ASP.NET authentication infrastructure? In specific, I want the HttpRequest.IsAuthenticated to be true if the server thinks that the session is authenticated and the Page.User principal to describe the currently authenticated user, again as seen from the server.

Thanks

+1  A: 

The ASP.Net Forms Authentication will do everything you need.

First off, it takes care of setting a secure authentication cookie for you, so you don't need to worry about that. It is as safe as any other session-based authentication token (in other words, it's open to session hijacking, but otherwise considered safe), but since you're using HTTPS, session hijacking cannot be performed, so you're safe all around.

HttpRequest.IsAuthenticated will be true when the FormsAuthentication is successfully performed. You'll likely need to write a custom MembershipProvider that will authenticate against your user store, fetch the user name and the back-end session object, and store them to session when the authentication succeeds. Writing a custom provider is very simple, there are lots of great examples that should cover what you need.

Here's a basic example.

womp  2009-12-06 06:56:36

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps