I am looking for advice in choosing an authentication
scheme.
A little background on what I am doing will help explain
what I am trying to do. We develop and sell a third
party software product which is written in MFC. We are
going to use .NET to mimic the MFC GUI interface and
provide a web interface. The login information for the
interface will come from an existing database, not from
the Windows accounts.
One requirement that I am trying to stick to is to
provide a reasonable level of security. That means not
sending passwords in plain text and not storing them in
plain text in the database. In order to avoid to
simplify our security issues, we are willing to have our
interface installed as an intranet web app and recommend
that they either use VPN to connect remotely our
configure extra security measures such as SSL before
allowing access over the internet.
Two other requirements that I am trying to stick to is to
not incur extra costs to implement our solution and to
keeping the installation seemless (meaning the customer
won't have to do any special configuration). This seems
to rule out using SSL. If we used a third party
Certificate Authority like Verisign, we would be
incurring an extra cost or forcing the customer to. If
we implemented our own certificates, we create extra work
for the customer as he would have to create the
certificate and install a root certificate on each of the
clients in order for the users to be able to access the
site without receiving a warning message.
I have been going back and forth between Forms
Authentication and an ISAPI filter. After learning that
the password would be sent to the ISAPI filter in plain
text, it seems that my best bet may be to use Forms
Authentication with an anonymous user, use JavaScript to
encrypt the credentials before the client returns the
login form, and encrypting the credentials stored in the
cookie.
Any thoughts or suggestions? I appreciate advice from
someone with more experience in these matters.
scheme.
A little background on what I am doing will help explain
what I am trying to do. We develop and sell a third
party software product which is written in MFC. We are
going to use .NET to mimic the MFC GUI interface and
provide a web interface. The login information for the
interface will come from an existing database, not from
the Windows accounts.
One requirement that I am trying to stick to is to
provide a reasonable level of security. That means not
sending passwords in plain text and not storing them in
plain text in the database. In order to avoid to
simplify our security issues, we are willing to have our
interface installed as an intranet web app and recommend
that they either use VPN to connect remotely our
configure extra security measures such as SSL before
allowing access over the internet.
Two other requirements that I am trying to stick to is to
not incur extra costs to implement our solution and to
keeping the installation seemless (meaning the customer
won't have to do any special configuration). This seems
to rule out using SSL. If we used a third party
Certificate Authority like Verisign, we would be
incurring an extra cost or forcing the customer to. If
we implemented our own certificates, we create extra work
for the customer as he would have to create the
certificate and install a root certificate on each of the
clients in order for the users to be able to access the
site without receiving a warning message.
I have been going back and forth between Forms
Authentication and an ISAPI filter. After learning that
the password would be sent to the ISAPI filter in plain
text, it seems that my best bet may be to use Forms
Authentication with an anonymous user, use JavaScript to
encrypt the credentials before the client returns the
login form, and encrypting the credentials stored in the
cookie.
Any thoughts or suggestions? I appreciate advice from
someone with more experience in these matters.