Securing Web Services approach valid?

Question

Hi , Currently I am looking at securing our web services. At the moment we are not using WCF so this is not an option. One approach I have seen and implemented locally fairly easily was the approach described in article:

http://www.codeproject.com/KB/aspnet/wsFormsAuthentication.aspx

Which describes adding a HttpModule which prompts for user credentials if the user browses to any pages (web services) which are contained in a services folder. Does anyone see any way that this security could fall down and could be bypassed etc. I'm really just trying to decide whether this is a valid approach to take or not?

thanks

Answer 1

Seems a bit clumsy to have a person browse to a page in order to use a web service, which is typically done programmatically.

You can simply hide your web services behind formsauthentication, and have an authentication endpoint that sets the forms ticket.

The service client would then just hang on to the CookieContainer and use it for subsequent requests.

Whatever you do, you must ensure that any pipe that has credentials going through it is secured via SSL.