3

Note: By "single sign on" I mean, ask the user for credentials and then not need him to authenticate by user input anymore for X time after that.


I have to create a secure web service for clients to use to deposit sensitive data into.

I could use traditional username and passwords, but the problem is pestering the user for it every time they want to make a request. On the other hand, if I cache those credentials then it's a security liability as it has to remain somewhere on the machine. Granted I'm not working on NASA software, but I'd like something a little more robust.

Here are my restrictions:

Clients:

  1. Use Windows 2000 and latest. So the client application has to run on .NET 2.0
  2. I have no control over the network or the clients machine meaning installing certificates on their end will be difficult if not impossible. (I have a machine fingerprint mechanism for whitelisting kosher PCs).

Server:

  1. Will use whatever I see fit. It's at my discretion.

With those consideration in mind, what options do I have if I want to implement a "single sign on" mechanism? Meaning, the user authenticates and for X time he can call the service without needing additional authentication.

Community
  • 1
  • 1
Only Bolivian Here
  • 35,719
  • 63
  • 161
  • 257

2 Answers2

2

You could save a user session in a database and everytime a user request something, you check the status of the user session and authenticate the password. For security you can use any encryption technique or hash the password before storing it in the database.

Azhar Khorasany
  • 2,712
  • 16
  • 20
  • Any reading material on this is more than welcome. – Only Bolivian Here Nov 30 '11 at 13:40
  • Search for Hashing passwords on google, and you should know how to store a string in a database :P – Azhar Khorasany Nov 30 '11 at 13:44
  • Btw. Thanks for accepting :P If you be able to implement please mark this as an answer :D – Azhar Khorasany Nov 30 '11 at 13:50
  • I know how to hash information. I was asking specifically about how user sessions tie into web services. – Only Bolivian Here Nov 30 '11 at 13:50
  • It can be just a table called UserSession with a bit column "Authenticated" with 1/0. This is just my view. You can implement it however you feel suitable though. Within the web service you can create a private function called "ValidateUser()" and use this method in your application whenever the user needs to be authenticated.?? – Azhar Khorasany Nov 30 '11 at 14:13
1

The thing to remember is that an ASP.NET web service is an ASP.NET web application, so the techniques available to you in an ASP.NET application are also there for you to use in a Web Service.

In ASP.NET you have Forms Authentication (which can be used in conjunction with ASP.NET Membership). Forms Authentication can generate a cryptographically strong authentication token in exchange for a username + password. If you return that token in a "Sign On" Web Method, you could require all subsequent Web Method calls to provide that authentication token (ideally in the SOAP Header so it is out of the way of your normal input parameters).

This of course requires the caller to store the authentication token somewhere (since that task is normally taken care of automatically by the user agent in the form of a cookie).

And of course, always use HTTPS only or your authentication is practically worthless.

saille
  • 9,014
  • 5
  • 45
  • 57