Intranet Login using ASPdotNET (advice)...

[The Eeediot]

Hello, folks!

I am trying to design a login script / page for a set of administrative functions on my company's Intranet. I need something that is reasonably secure and I've been trying to rack my brains to come up with a scheme. These functions are for a bunch of look-up tables, a knowledge base, etc. I am looking for a little advice

I am thinking something along these lines:

default.aspx:
ViewState("Attempt") - count attempt (if > 3 then try again after session expires)
Session("Authenticated") - T or F
Username and Password stored in MSSQL 2000 database
User logs in.
If Session("Authenticated") = T
User gains access to admin pages...

Okay, not a terribly complicated design but how do I limit the scope of the Session object?
How do I set the session to expire in XX minutes?
How do I have the session automatically expire if the user exits their web browser or visits another site?
Should I use a Cache("...") object instead of Session("...") object?

I know these may be trivial to the gurus but I've been trying to find a decent model to follow for my login script.

TIA...

 

[Anders Norås [MCAD]]

I am trying to design a login script / page for a set of administrative
functions on my company's Intranet. I need something that is >reasonably
secure and I've been trying to rack my brains to come up with a scheme.
These functions are for a bunch of look-up tables, a >knowledge base, etc.
I am looking for a little advice

You should use ASP.NET forms authentication. See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp
for more information.

Anders Norås
http://dotnetjunkies.com/weblog/anoras/

 

[Karl Seguin]

Eeediot:
Seems like you might be reinventing the wheel. Much of this functionality
has been partially or completely automated in .Net.

You should read a bit about FormsAuthentication
(http://www.4guysfromrolla.com/webtech/110701-1.shtml or a google search)

Also, you mentioned this was an intranet site, so WindowsAuthentication
might be even less work

Other than that, everything you are doing seems ok. What do you mean by
limit the scope of the session object? IT's currently limited to a specific
user, dunno how much narrower or wider you want/need to scope to be...but
chances are you don't.

You can set the Timeout property in the web.config <sessionState
mode="inProc" timeout="10" > (in minutes)
The only way to make the session automatically quit is to use javascript and
something like the onunload event
(http://msdn.microsoft.com/workshop/author/dhtml/reference/events/onunload.a
sp) when the event fires, open up a popup which logs the user out and close
the popup at the end of processing.

You should use the Session object, the Cache object has a different
purpose... Having said that, I normally use formsauthentication which
maintains a cookie on the client (session does the same thing) and store a
userid in the cookie, I then use the Cache object to store the user
information....if you go your custom method though, session object makes
more sense 'cuz you'll already be making use of it

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/


Hello, folks!

I am trying to design a login script / page for a set of administrative
functions on my company's Intranet. I need something that is reasonably
secure and I've been trying to rack my brains to come up with a scheme.
These functions are for a bunch of look-up tables, a knowledge base, etc. I
am looking for a little advice

I am thinking something along these lines:

default.aspx:
ViewState("Attempt") - count attempt (if > 3 then try again after session
expires)
Session("Authenticated") - T or F
Username and Password stored in MSSQL 2000 database
User logs in.
If Session("Authenticated") = T
User gains access to admin pages...

Okay, not a terribly complicated design but how do I limit the scope of
the Session object?
How do I set the session to expire in XX minutes?
How do I have the session automatically expire if the user exits their web
browser or visits another site?
Should I use a Cache("...") object instead of Session("...") object?

I know these may be trivial to the gurus but I've been trying to find a
decent model to follow for my login script.

TIA...

 

[Guest]

Hi,

To learn more about security best practices with asp.net you should consult
the patterns and practices web site. I have posted the url below for you. I
believe that after you read this you will then be able to determine which
method of authentication is best for your model and how to properly implement
it.

I hope this helps.

 

[The Eeediot]

Thanks for the replies.

Some stuff I didn't quite know about.

That is why I posted to the group...
Hello, folks!

I am trying to design a login script / page for a set of administrative functions on my company's Intranet. I need something that is reasonably secure and I've been trying to rack my brains to come up with a scheme. These functions are for a bunch of look-up tables, a knowledge base, etc. I am looking for a little advice

I am thinking something along these lines:

default.aspx:
ViewState("Attempt") - count attempt (if > 3 then try again after session expires)
Session("Authenticated") - T or F
Username and Password stored in MSSQL 2000 database
User logs in.
If Session("Authenticated") = T
User gains access to admin pages...

Okay, not a terribly complicated design but how do I limit the scope of the Session object?
How do I set the session to expire in XX minutes?
How do I have the session automatically expire if the user exits their web browser or visits another site?
Should I use a Cache("...") object instead of Session("...") object?

I know these may be trivial to the gurus but I've been trying to find a decent model to follow for my login script.

TIA...