Securing an asp.net 4.0 website with forms authentication, with user credentials on a remote SQL server
Question
This is my first foray into building a secure web application. It will be on the internet, and it comprises an IIS server (hosted by ISP) and SQL 2008 db (Also hosted by ISP.
As a quick and dirty test I am just using the template in Visual Studio. I have configured authentication by just using the wizard on the ASP.NET configuration tool. However, this creates a database that is hidden within the web app.
I would prefer to keep the user credentials on the SQL server, as it seems like best practice to allow for scalability. However, how do I do this? I have limited access to the database - I can create tables, but don't think I'll be able to run any tools on the server to create the right schema. Can anyone point me in the right direction? Done some googling, but keep seeing ASP.NET 1.1 articles, which makes me think I may be missing something, and there is a better way of doing this in ASP.NET 4.0.
2 answers
solution1
2 2012-05-10 17:34:08
Create a User table in SQL Server that stores user login and password. You can hash the password so that it's not visible even to admins themselves including yourself. Then using LINQ to pull during form authentication to check login name/password against the User table.
You can also use embedded SQL or stored procedure in place of LINQ. However, embdedded SQL is highly unsafe so that leaves stored procedure and Linq. I would prefer using Linq if you are familiar with it. Or using stored procedure which is always the safest.
solution2
1 ACCPTED 2012-05-11 04:51:45
You don't "have to" use the entire ASP.Net Membership framework to use Forms Authentication. It does a lot of the plumbing for you (security, etc), so if you can, it's probably best you use it - more so, if you're getting started.
You can use Forms Authentication with any auth scheme you want (pre-existing or something you create yourself). Here's an overly simplistic sample where you can see that you can even hard-code the auth scheme ( not that you should, but it shows you the possibilities).
Lastly, if you can't run the command line ASP.Net tool aspnet_regsql.exe , the sql scripts to create the schema are in: C:\\Windows\\Microsoft.NET\\Framework\\[Framework version] .
So for .Net 4, it would be: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319
Both install and "uninstall" sql scripts are there - eg
- InstallMembership.sql
- UninstallMembership.sql
... and so on....
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.