Friday, 21 December 2018

Typical usage scenarios


Typical usage scenarios
You should consider Forms authentication when:
·       User names and passwords are stored somewhere other than Windows Accounts. Note that it is possible to use Forms authentication with Windows Accounts.
·       You are deploying your application over the Internet.
·       You need to support all browsers and client operating systems.
·       You want to provide your own user interface form as a logon page.
You should not consider Forms authentication when:
·       You are deploying an application on a corporate intranet and can take advantage of Integrated Windows authentication.
·       You are unable to perform programmatic access to verify the user name and password.
Other considerations
You should also consider the following when choosing Forms authentication.
Making Forms authentication secure
If users are submitting passwords via the logon page, you can secure the channel using SSL to prevent passwords from being stolen. If you are using cookies to maintain the identity of the user between requests, you should be aware of the potential security risk of a hacker "stealing" the user's cookie using a network-monitoring program. The only true way to make the site completely secure when using cookies is to use SSL for all communications with the site. For most commerce sites, this will be impractical due to the significant performance overhead. With ASP.NET you can have the server regenerate cookies at timed intervals. This policy of cookie expiration is designed to prevent another user from accessing the site with a stolen cookie.
Performance and scalability
You need to consider the performance implications of authenticating users when designing a high-volume Web site. If you expect large numbers of users to log on concurrently, you need to make the credential verification as fast as possible.
If you are using SSL, there is a noticeable performance hit due to the additional encryption steps that must be performed. You may need to separate your servers that are performing the secure logon from the content servers in a Web farm to achieve your performance requirements.
Checking the cookie exists
If you are using .NET, the process to check that a cookie exists is performed automatically. However, without .NET, you have two basic approaches:
·       You can implement an ISAPI filter that confirms the presence of a cookie on a client's request, which proves that the client has been authenticated. If the cookie exists, you can allow the request to proceed. If the cookie does not exist, you can redirect the client to the logon page. An ISAPI filter such as the one described is implemented by Microsoft® Commerce Server 2000.
·       You can write code at the start of each Web page that checks for the existence of the cookie or some other custom value that is passed by the Web page. If the token is not present, the code can re-direct the user to the logon page. This is a simple implementation; however, you may not be able to protect resources other than ASP pages. For example, image files might still be accessible.
If you are using ASP.NET, you can take advantage of the built-in functionality provided by Forms authentication.
Using Forms authentication with Windows accounts
If you are deploying an Internet application and your users have Windows accounts on the server, it is possible to use Forms authentication or Forms authentication over SSL as an alternative to using Basic authentication or Digest authentication.
This may not be a good solution if your application is intranet-based and can already take advantage of Integrated Windows authentication. Your corporate security policy also may not approve of users entering their passwords into an HTML form.
Implementation
To implement Forms authentication you must create your own logon page and redirect URL for unauthenticated clients. You must also create your own scheme for account lookup. Using ASP.NET, you can use the following Web.config configuration:
http://msdn2.microsoft.com/Platform/Controls/CodeSnippet/resources/copy_off.gifCopy Code
// web.config file
<system.web>
   <authentication mode="Forms" />
</system.web>
Because you are implementing your own authentication, you will typically configure IIS for Anonymous authentication.
For information about implementing SSL, see the following articles.
·       Untangling Web Security: Getting the Most from IIS Security
·       "Configuring IIS 5.0 Security" in the Internet Information Services 5.0 Resource Guide

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)