User Authentication in ASP.NET with user data not even readable by admin or man-in-the-middle

views:

answers:

User Authentication in ASP.NET with user data not even readable by admin or man-in-the-middle

Hello,

Imagine you have an ASP.NET based website that users have to authenticate for to get access. The user data (such as username, password and other information relevant for the website) is stored in a Microsoft Sql database.

I know that it is possible to write an custom membership provider to create an own authentication method.

However, what is the best way to

ensure that the username and password cannot be intercepted by listening to the network traffic in between the client and the server
store the data in a way so that only the user himself can access it and not even any administrator is able to see these information

If there is any sort of tutorial, howto, screencast or whatever you can point me to or you have even a simple explanation, that would be great!

Thanks, Chris.

+5 A:

To secure the usernames and passwords on the network have your users connect via SSL.

To ensure password can't be read in the database, hash the passwords.

Chris Pebble 2009-04-28 13:02:14

Indeed, setting the default asp.net membership provider to use Hashed passwords (http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.passwordformat.aspx) and disable password retrieval (http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.enablepasswordretrieval.aspx). These can easily be set in the web.config (http://msdn.microsoft.com/en-us/library/whae3t94.aspx)

Zhaph - Ben Duguid 2009-05-21 00:30:25

ansaurus

tags:

views:

answers:

User Authentication in ASP.NET with user data not even readable by admin or man-in-the-middle

related questions