authentication - Persistent login implementaion in ASP.NET MVC application -

-

i want implement type of authentication explained here in asp.net mvc application. http://jaspan.com/improved_persistent_login_cookie_best_practice

my current implementation having users , userlogintokens tables:

create table [users].[users] ( id              int             not null,  username        nvarchar(30)    null,   -- not unique. login email. email           nvarchar(100)   not null,  passwordhash    nvarchar(512)   not null, passwordsalt    nvarchar(512)   not null, ) create table [users].[userlogintokens] ( id          int             not null, userid      int             not null, token       varchar(16)     not null, series      varchar(16)     not null, )

after user log in, issued user cookie content: t=@token&s=@series.

now, have persistentloginmodule search cookie each request, validate token , series valid build user it.

my questions:

  1. in order implement this, idea implement own authentication module , don't use formsauthentication @ all?

  2. should validate token against db in each request?

  3. when should discard old token , issued user new one?

  4. regarding implementation of db, if understand correctly series same, given user. if so, maybe should move user table?

thanks, appreciate!

if you're going build own authentication module, recommend still using formsauthentication ticket.

the formsauthenticationticket class has userdata property can use store additional data.

you can use static formsauthentication.encrypt(ticket) , formsauthentication.decrypt(ticket) methods store , retrieve data set in cookie.

no. don't want go database on every request. might want store hash of provided evidence in kind of session variable (after you've verified against database). later recompute hash , compare value you've verified during current session (to verify hasn't been tampered with).

you should research on best practices , authentication hacking. article linked 2006. there has been lots of changes in web security since then.

check source code formsauthenticationmodule see how microsoft implementation works (using reflector). should make sure kb patch installed http://support.microsoft.com/kb/2416472


Comments

Post a Comment

Popular posts from this blog

java - SNMP4J General Variable Binding Error -

-
i trying use snmp4j snmp bulkget. when ever use snmp4j make call returned responseevent error says "general variable binding error" , data returned equal null. to debug: print out, console, exact oid , version number using in snmp4j. use printed out data snmpwalk on command line. valid results. know sending snmp4j correct pdu correct oid, version number, max repititions, etc. i have used snmp4j , code wrote succesffuly monitor other devices years. don't know different time. leaving me stumped. why "general variable binding error?" causes error? ideas debug? can reproduced? if so, first action should using wireshark or microsoft network monitor capture network packets. my guess agent gives generr response, not surprising, http://www.ietf.org/rfc/rfc1157.txt
Read more

windows - Python Service Installation - "Could not find PythonClass entry" -

-
i working on building python service. inducing error, not sure inducing it. ps c:\...> python .\file.py debug debugging service myservice - press ctrl+c stop. error 0xc00000f4 - not find service's pythonclass entry in registry error 1814 - specified resource name cannot found in image file. error 0xc0000080 - not locate module name in python class string (ie, no '.') this error coming pythonservicemessages.mc in pythonwin32. it turns out error result caused exception being thrown , python script dying off.
Read more

Determine if a XmlNode is empty or null in C#? -

-
the following code takes xmlnode data type , populates dataset object xmlnode content. write dataset's content file. public void populatedataset(xmlnode node) { xmlnodereader reader = new xmlnodereader(node); dataset ds = new dataset(); ds.readxml(reader); system.guid guid = system.guid.newguid(); string name = string.format("{0}{1}_{2}.xml", utility.xmloutputpath, utility.xmloutputfilename, guid.tostring()); //need write "node empty" file if xmlnode object empty of null ds.writexml(name, xmlwritemode.ignoreschema); } the problem encountered 1 scenario not write content file. how determine if xmlnode object null or empty? you can check if node parameter null or has innertext or innerxml properties null or empty, when enter method before creating xmlnodereader .
Read more