Cache Authentication vs Forms Authentication - Thoughts?

[Rbrt]

I am developing a IIS 6.0 / ASP.NET 2.0 database driven web site that will be
used for an in-house application with less than 1,000 potential users and
which will probably never have more than a couple of hundred simultaneous
users at any given time.

While forms authentication provides good tools for handling security for the
site, it is vulnerable to dedicated hackers who can sniff out cookies, or
urls and hijack the site.

I am consdiering using a cache-based authentication method in which I would
instantiate a custom user class object to handles things like log ons, and
store user information and which is then cached on the server with a sliding
expiration using a key consisting of the user's IP address. Every time the
user requests a page, the object can be retrieved from the cache. If it is
not found in the cache, then a redirect at server is used to route them to
the logon form. The advantage of course is that all of this is done on the
server with no client side data dependency other than the IP address.

Has anybody tried this? Anybody have any comments on what might be the
pitfalls of such a scheme?

Thanks for any input.

Robert

 

[Peter Bromberg [C# MVP]]

For an in-house application I see no particular issue with this. Although, if
it is in-house only, I don't understand why the big fear about hacking of
Forms Auth cookies - you already know who all the users are anyway.
--Peter
"Inside every large program, there is a small program trying to get out."
http://www.eggheadcafe.com
http://petesbloggerama.blogspot.com
http://www.blogmetafinder.com

 

[Rbrt]

Good point. The "in-house" includes field staff who travel widely in and
outside of North America. The data is highly confidential and of considerable
interest to my customer's competitors.

 

[Peter Bromberg [C# MVP]]

Well if they are traveling widely how the heck do you propose to ensure
you've got their IP addresses right? If your people are getting sensitive
data it might offer more protection just to encrypt it and make sure that
only the right people have the key.
--
--Peter
"Inside every large program, there is a small program trying to get out."
http://www.eggheadcafe.com
http://petesbloggerama.blogspot.com
http://www.blogmetafinder.com

 

[Scott Roberts]

You're thinking that a "dedicated hacker" won't be able to spoof an IP
address?

Anyway, if you're keen on using IP, why not use regular forms auth then add
logic to global.asax to query IP on each request and perform some logic?

You should probably also check out OpenID.

I don't really see a need to re-invent the wheel.