Best Practice: Authentication between Silverlight Client and a.Net Server

Question

Hello,

I'm working on a Project where I run a Server that is basically a .Net C# Application with a SQL Server Express DB and will now use WCF for Webservice implementation and then there are Silverlight Clients that different Companies will use to interact with this Server. How do I implement User Authentication in a good and reliable way? I've read a lot of Posts here that will user ASP on the Server side, but my Server isn't an ASP Server. Should I implement it anyway or are there any other options?

My naive thought was something like that:

• Username, Password and Company is stored as a credential in the DB
• The Silverlight Client asks on Startup those credentials and sends them to the Server to get a confirmation.
• from now on those credentials are in every communication between Client and Server and the Server confirms them every time.

Is this to naive and insecure?

Thank you

twickl

Answer 1

You could go with OpenId (http://openid.net/)

Answer 2

Since you're using basic web protocol, you could consider using an HTTPS channel and

1) embedding the credentials in the URL - as long as you're using HTTPS this is OK

2) getting a unique identifier back from the service on initial validation of credentials, and then requiring this identifier in all future calls - saves on the db lookup, but you should still stay in https - if you use http, then it's by definition insecure