Thursday, April 8, 2010
- As HTTP is a state less protocol and we need to maintain the information to authenticate the users. Below are the precaution the we need to follow
- We can use one of the below suggested methods for authentication
- Forms Authentication
- Windows Authentication
- Change Password Controls
- Always we need to ask for old password and new password.
- If we are sending reset password links to users email we need to re-authenticate the user when he tries to change his email address.
- All passwords should be stored in database in encrypted format. Use System.Security.Cryptography in .NET
DES (Data Encryption Standard)
DSA (Digital Signature Algorithm)
HMAC SHA1 (Hash-based Message Authentication Code using the SHA1 hash algorithm)
TripleDES (Triple Data Encryption Standard)
MAC Triple DES (Message Authentication Code using Triple DES)
SHA1, SHA256, SHA384, SHA512
- Protection during transmit:
- In order to protect the passwords or transaction session Ids it is suggested to use SSL. Try to use SSL for all login pages so that credentials will be protected.
- SessionIds should not be transferred in querystrings.
- Session Ids should be long and complex to decode.
- Session Id can be formed by encrypting it along with IP Address, so that we can check for the IP Address and compare it in server side.
- Session IDs must be changed when switching to SSL, authenticating, or other major transitions. Session IDs chosen by a user should never be accepted.
- We need to make sure that session is timed out when user clicks on logout button.
- Application timeout should be set properly so that sessions are abandoned when user closes the browser instead of clicking on logout.
Also Read other Top Articles
- JSON Serialization in VS 2008
- Implementing Forms Authentication in Silverlight Application.
- Making GridView Rows or Individual Cells Clickable and Selectable.
- Enabling browser back button for GridView Paging and Sorting in Ajax 1.1 and 3.5 (using Visual Studio 2005/ Visual studio 2008)
- How to pass values from User Control to Page or calling Page methods from User Control.
- What is WCF?
- New features in C# 4.0
- C# to VB.NET and VB.NET to C# online free converter tools.