Re: Authentication

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Dave,

You shouldn't be storing passwords at all. If anything, you should be storing hashes of some data based on the password (usually, its against the user name, along with a salt) and then you compare the hashes. This way, the password can not be reverse engineered from the hash.

As for how to create a custom principal, check out the section of the MSDN documentation titled "Walkthrough: Implementing Custom Authentication and Authorization ", located at:

http://msdn2.microsoft.com/en-us/library/ms172766(VS.80).aspx

It's in VB, but everything can be easily converted to C#.


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx

"Dave" <Dave@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1E11B330-3026-41BC-BAB3-F46B451D332D@xxxxxxxxxxxxxxxx
You stated ".... If it is the latter (which if you insist on a separate sign
on, it
should be), then you have to be sure that you are not storing passwords in
the database". Where would I store my password?

I have not found any basic tutorial on IPrincipal. Could you direct me to one?

Thanks.
--
L. A. Jones


"Nicholas Paldino [.NET/C# MVP]" wrote:

Well, there are a number of questions here.

First, how are you accessing the database? Are you doing it using
trusted security, or are you accessing it using a username/login combo?

If it is the former, then you probably should be using a windows
principal, and using the security in the operating system (windows is a
single sign on system) to authenticate your user.

If it is the latter (which if you insist on a separate sign on, it
should be), then you have to be sure that you are not storing passwords in
the database, because a malicious user could use the credentials to fetch
the passwords (encrypted or not) and try to crack them over time.

Regardless, you should be encrypting the connection string as well in
the config file (assuming that is where you keep it).

You can then create a custom implementation of IPrincipal and set the
CurrentPrincipal property on the thread which will be used when checking
methods/properties with the PrincipalPermission attribute. You will need to
implement the IsInRole method to check against your database to see what
roles the user is a part of.

Needless to say, it isn't a bad thing that you are storing user
information in the database, you just have to take certain steps to make
sure that it is secure.

--
- Nicholas Paldino [.NET/C# MVP]
- mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx

"Dave" <Dave@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01220BFE-50DB-480B-84B1-4CCDD93B3C02@xxxxxxxxxxxxxxxx
> Well let me tell you how I've implemented my application security. I > have
> a
> main form with several menu option. When a user logs in I check a sql
> database to authenticate the user. Based on the outcome several menu
> options
> will enabled or disabled. Is this a poor security technique?
> -- > L. A. Jones
>
>
> "Nicholas Paldino [.NET/C# MVP]" wrote:
>
>> Dave,
>>
>> Authentication in Windows Forms is a different beast than in >> ASP.NET
>> applications. Basically, you are going to work off the current >> principal
>> for the thread, which can be based on the user that is currently >> logged
>> in
>> and running your app, or something completely custom.
>>
>> However, once you determine how you want to authenticate your >> user,
>> how
>> you authorize them is pretty much the same (declarative security using
>> the
>> PrincipalPermissionAttribute, calling IsInRole on the IPrincipal
>> interface
>> definition).
>>
>> Juval Lowy has written an article which shows how to use the >> ASP.NET
>> authentication module in Windows Forms if you are interested:
>>
>> http://msdn.microsoft.com/msdnmag/issues/05/04/Security/default.aspx
>>
>>
>> -- >> - Nicholas Paldino [.NET/C# MVP]
>> - mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> "Dave" <Dave@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:C24B8DF6-01DD-4E9E-93DC-4B19885AD5B1@xxxxxxxxxxxxxxxx
>> >I would like to find a tutorial that shows how to set up >> >authentication
>> >in
>> >a
>> > winform application similar to one that ASP.Net applications are
>> > capable
>> > of.
>> > -- >> > L. A. Jones
>>


.

Relevant Pages

  • Multi-User Password Database
    ... I'm after a multi-User password database so that I can centrally store ... their own unique authentication. ... The password databases that I've come across make _all_ passwords ...
    (comp.security.misc)
  • Re: OS authentication question
    ... We've not used OS authentication here for any databases yet, ... the beancounters are saying the database passwords need to meet the same ... on a test database I created a login for myself with the following: ... In any case, I find this whole SOX compliance thing somewhat a joke, since the number of passwords on sticky notes has gone up exponentially since we started enforcing constantly changing complex domain passwords, and I expect the same will happen with database passwords. ...
    (comp.databases.oracle.server)
  • Re: OS authentication question
    ... We've not used OS authentication here for any databases yet, ... the beancounters are saying the database passwords need to meet the same ... on a test database I created a login for myself with the following: ... Float a cost of 300K per database server over a 5 year period ...
    (comp.databases.oracle.server)
  • Re: is using LDAP or SESSION more secure for authentication and access control?
    ... and passwords, and a method to check access. ... employee who walks off with a copy of the database (encrypt passwords ... HTTP authentication is another (although it has disadvantages, ...
    (comp.lang.php)
  • Re: Pathname to access and usernames in shortcut
    ... >> network drive (for maintenance reasons initially, ... >> using usernames but no passwords. ... change their passwords within the access database (they won't know how ... >> gets the current username from the system and then calls access (via the ...
    (microsoft.public.access.security)