0

So I've read numerous articles on a password system for a web app, and they all seem very confusing. Some say you need to hash your PW's AND establish an https secure connection, others say you just need to hash AND salt your PW's.

I just know, after this has been done millions of times, there's PROBABLY some sort of library out there that can do a bunch of things for me for a password inputted on a client side, and give me something to save securely in my SQL Server 2008 database.

Do I need to worry about all the https secure connection stuff? Can I just make sure I hash the PW correctly? To hash it, do I need any external libraries or can I create a secure user/pw system entirely in .NET?

I've never done this before so any articles, tips, links would be very helpful. Thanks.

slandau
  • 23,528
  • 42
  • 122
  • 184

2 Answers2

2

If you don't want to roll your own you can always use ASP.Net Membership

ASP.NET membership gives you a built-in way to validate and store user credentials. ASP.NET membership therefore helps you manage user authentication in your Web sites. You can use ASP.NET membership with ASP.NET forms authentication by using with the ASP.NET login controls to create a complete system for authenticating users.

ASP.NET membership supports facilities for:

  • Creating new users and passwords.

  • Storing membership information (user names, passwords, and supporting data) in Microsoft SQL Server, Active Directory, or an alternative data store.

  • Authenticating users who visit your site. You can authenticate users programmatically, or you can use the ASP.NET login controls to create a complete authentication system that requires little or no code.

  • Managing passwords, which includes creating, changing, and resetting them . Depending on membership options you choose, the membership system can also provide an automated password-reset system that takes a user-supplied question and response.

  • Exposing a unique identification for authenticated users that you can use in your own applications and that also integrates with the ASP.NET personalization and role-management (authorization) systems.

  • Specifying a custom membership provider, which allows you to substitute your own code to manage membership and maintain membership data in a custom data store

Configuring an ASP.NET Application to Use Membership

There's also a project on github called Membership Starter Kit for MVC

Community
  • 1
  • 1
hunter
  • 62,308
  • 19
  • 113
  • 113
  • I'd prefer to roll my own as I kind of dislike using these big frameworks for very simple tasks. My site is literally one page, I don't need to control different pages for credentials and things like that. This is awesome - and would work - but I was more hoping for a simple way to setup a system on my own, I just wanted to make sure I was covering all bases correctly. – slandau Sep 09 '11 at 17:32
  • I'd also recommend reading http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication – Erik Philips Sep 09 '11 at 17:33
  • 2
    "I just know, after this has been done millions of times, there's PROBABLY some sort of library out there " I thought that's what you were looking for? – hunter Sep 09 '11 at 17:33
  • More a library just for the storing and retrieval of a pw, instead of an entire framework for membership. – slandau Sep 09 '11 at 17:38
  • I don't know if salting and hashing passwords is something someone would build a library around since there's really nothing to it. Each user gets a unique salt. Use that salt to hash their password and store it. When they try to log in, look up their user by username/email, hash what they typed in using that users salt, if it matches, log them in. – hunter Sep 09 '11 at 17:42
0

The default MVC3 Internet Application template (file-new project) has this setup for you already, simply add [Authorize()] to the controllers/methods you want to protect. Don't roll something new, use what's there for you. In addition, please use SSL as someone can easily steal a session by sniffing traffic and simply using your cookie. It's that easy.

Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71