Form Based Authentication For Websites Please help us create the definitive resource for this topic. We believe that stackoverflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form Based Authentication For Websites" should be a fine t...
I've been having trouble getting my ASP.NET application to automatically log users into the Intranet site I'm building. No matter the googling or the experimentation I applied, there is always a login box displayed by IE7. I've got Windows authentication mode set in the Web.config, disabled anonymous access and configured the correct d...
First, let's get the security considerations out of the way. I'm using simple authentication under Apache for a one-off, internal use only, non-internet connected lan, php web app. How can get I the HTTP authenticated user name in PHP?...
Most recent edits in bold I am using the .net HttpListener class, but I'm won't be running on IIS and am not using ASP.net. This web site describes what code to actual use to implement SSL with asp.net and this site describes how to set up the certificates (although I'm not sure if it works only for IIS or not). When I the class docu...
So in my simple learning website, I use the built in ASP.NET authentication system. I am adding now a user table to save stuff like his zip, DOB etc'. My question is: In the new table, should the key be the user name (the string) or the user ID which is that GUID looking number they use in the asp_ tables. If the best practice is to...
We are in the early design stages of a major rewrite of our product. Right now our customers are mostly businesses. We manage accounts. User names for an account are each on their own namespace but it means that we can't move assets between servers. We want to move to a single namespace. But that brings the problem of unique user names....
Have you used OpenID in anger? I'm going to be using OpenID for authentication on my site. Which provider should I recommend to my users? I'm thinking, based on the feedback that the OpenID auth is getting on StackOverflow, that I'd want to recommend one that does attribute exchange properly. So: who's that? ...
My website will be using only OpenID for authentication. I'd like to pull user details down via attribute exchange, but attribute exchange seems to have caused a lot of grief for StackOverflow. What is the current state of play in the industry? Does any OpenID provider do a decent job of attribute exchange? Should I just steer away f...
I am a neophyte with Ruby on Rails but I've created a couple of small apps. Anyway, I'm really interested in OpenID and I would like to implement OpenID authentication and maybe some Sreg stuff in a Rails app. All of the research that I have done has come up with articles that are out of date or just don't work for me. Since I'm so new t...
What's the best practice for making sure that certain ajax calls to certain pages are only accepted from authenticated users? For example: Let's say that I have a main page called blog.php (I know, creativity abounds). Let's also say that there is a page called delete.php which looks for the parameter post_id and then deletes some ent...
What's the best way to implement authentication over WCF? I'd prefer to not use WS-* as it needs to be transport independant. Should I "roll my own"? Is there any guidance for doing that (articles/blog posts)? Or is there some way to (and should I) use the built in ASP.NET Membership and Profile providers on the server side? ...
I have a PHP script that runs as a CGI program and the HTTP Authenticate header gets eaten and spit out. So I would like to implement some kind of FORM based authentication. As an added constraint, there is no database so no session data can be stored. I am very open to having a master username and password. I just need to protect the a...
I have an ASP.net Application that runs on the internal network (well, actually it's running on Sharepoint 2007). I just wonder: Can I somehow retrieve the name of the PC the Client is using? I would have access to Active Directory if that helps. Thing is, people use multiple PCs, so I cannot use any manual/static mapping. If possible, ...
I'm working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application. I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application...
I'm doing some funky authentication work (and yes, I know, open id is awesome, but then again myopenid doesn't work right at this moment!). Stumbling across Windows CardSpace I was wondering if anyone has used it in a real production system. If you have, what were the pros and cons for you? ...
I am trying to implement NTLM authentication on one of our internal sites and everything is working. The one piece of the puzzle I do not have is how to take the information from NTLM and authenticate with Active Directory. There is a good description of NTLM and the encryption used for the passwords, which I used to implement this, but...
I'm trying to build a C# console application to automate grabbing certain files from our website, mostly to save myself clicks and - frankly - just to have done it. But I've hit a snag that for which I've been unable to find a working solution. The website I'm trying to which I'm trying to connect uses ASP.Net forms authorization, and ...
I'm looking for a pre-built solution I can use in my RoR application. I'm ideally looking for something similar to the ASP.NET Forms authentication that provides email validation, sign-up controls, and allows users to reset their passwords. Oh yeah, and easily allows me to pull the user that is currently logged into the application. I...
I'm attempting to use an existing CAS server to authenticate login for a Perl CGI web script and am using the AuthCAS Perl module (v 1.3.1). I can connect to the CAS server to get the service ticket but when I try to connect to validate the ticket my script returns with the following error from the IO::Socket::SSL module: 500 Can't co...
What is the best approach to make sure you only need to authenticate once when using an API built on WCF? My current bindings and behaviors are listed below <bindings> <wsHttpBinding> <binding name="wsHttp"> <security mode="TransportWithMessageCredential"> <transport/> <message clientCredentialType="UserName" negoti...