What kinds of authentication options are there for websites and web applications?

views:

answers:

What kinds of authentication options are there for websites and web applications?

Even though there are many good CMS tools out there, I've decided to roll my own tools for my website to get some hands on experience. The only thing that is currently eluding me is how to add authentication to secure the administrative tools.

I'm the only one who will be using the administrative tools, so I don't need something as complex as a full-blown log-in and registration system. However, I also don't want to rely on security-through-obscurity and use random page names and such to hide the tools.

What are my options?

+1 A:

OpenID is probably your best bet.

To utilize it for one person as you suggest, just check the username that is authenticated. Yeah, that would amount to hardcoding, but if we're creating a system with only one valid login name, there's no need for anything more complicated.

But creating the alternative shouldn't be that bad. You could also just create a table of roles, and do a query against that table to see if the currently logged in user is an admin. If you want to be fancier later, you can later add different users and roles.

How the users and roles get into the table is up to you.

altCognito 2009-05-30 13:23:23

I've read about OpenID for user account management, but without hardcoding values, is there a good way to utilize OpenID for one person? Although I will investigate some more, if you have experience in this, I would appreciate some elaboration.

Thomas Owens 2009-05-30 13:25:43

Interesting: http://stackoverflow.com/questions/263094/is-openid-a-flawed-concept http://stackoverflow.com/questions/696210/to-use-openid-or-not-to-use http://stackoverflow.com/questions/60436/what-is-the-benefit-of-using-only-openid-authentication-on-a-site

Kriem 2009-05-30 13:35:35

+1 A:

1) Simply use "WWW-Authenticate: Basic" see Wikipedia for an idea and the related RFC for details.
2) Enable SSL to ensure your cleartext password is encrypted.
SSL is quite standard on web servers. You can even self-sign your certificate.

Derick 2009-05-30 13:36:10

I'll look into that, but I'm not entirely sure what my web host supports in this regard.

Thomas Owens 2009-05-30 13:41:33

This will depend in part on what platform will be used by you and your web host. A given platform will likely offer one set of choices that will be easier to access than others.

For instance, ASP.NET running inside of IIS offers Forms, Basic and Windows (NTLM) authentication, as well as certificate-based authentication with the ability to map client certificates to Windows users.

You could certainly implement another authorization schema in an ASP.NET application, and many do. But there happen to be this set of out of the box authentication schemes that you would not have to implement if this were your platform. I expect this is true of any other platform, including the Linux-based platforms.

Be sure to find out what's available out of the box, and what can easily be added, before writing your own.

John Saunders 2009-05-30 13:48:39

ansaurus

tags:

views:

answers:

What kinds of authentication options are there for websites and web applications?

related questions