views:

99

answers:

4

I have created a site in ASP.NET 3.5 & I have only 2 or 3 user login IDs who can login to the website.

What would be the best way to save these login details? Which of these approaches, or others, would be most suitable?

  1. Using Forms Authentication, and saving credentials (username and password) in web.config
  2. to create a text file in directory and modify it

Which approach is best from a security and maintenance perspective? What other approaches are suitable for a login system for ASP.NET?

+8  A: 

Use the default ASP.NET Sql Membership Provider. The link will show you how to used it and get it configured.

Esteban Araya
+1. Don't reinvent the wheel when it comes to security.
Craig Stuntz
A: 

With ASP.NET you can use some of the built-in/provided authentication providers that let you manage the users in a database and it uses proper guidelines like hashing passwords, etc. by default.

Jared Peless
A: 

You could use ASP.NET membership. Even though you won't have many users, it handles all of the authentication details for you.

derek
+1  A: 

Do you already have a database? If so, use forms authentication and ASP.NET membership like everyone says. It is real simple to integrate into your current database (assuming it's sql server - i don't know about others). I realize adding a DB for 2 or 3 users isn't always an option due to budget or whatever so you can use forms authentication and store the user in the web.config. I've done this in the past and it is very simple.

Your web.config will look like:

<authentication mode="Forms">
    <forms loginUrl="Login.aspx">
        <credentials passwordFormat="Clear">
            <user name="myUser" password="password" />
        </credentials>
    </forms>
</authentication>

Then you can use the built in login controls. If you do it this way you need to implement the Autenticate event.

    protected void Login1_Authenticate(object sender, System.Web.UI.WebControls.AuthenticateEventArgs e)
    {
        string UserName = Login1.UserName;
        string Password = Login1.Password;

        if (FormsAuthentication.Authenticate(UserName, Password))
        {
            e.Authenticated = true;
        }
        else
        {
            e.Authenticated = false;
        }
    }

Of course this isn't the most secure way to go about this, and you'll probably want to at least look at encrypting the credentials in the web.config, but it is simple and works when a database isn't an option.

senloe
I would also recomment that solution. Best time spendt/gain relation, if the users don't change regulary
citronas