What authentication method to use?

Posted on 2000-04-19
Last Modified: 2012-05-05
I am a newbie web developer.  I am embarking on my 1st major web site development.  This site needs user authentication to access SQL Server data (raw data to html and also Crystal Reports web interface info).  I will be using Frontpage/Visual Interdev, IIS, Windows NT, ASP, etc.  I am trying to determine which authentication method I should use, why, and what are the advantages/disadvantage to whatever method you would recommend.  This site will be used to update vendor information and to provide data to our customers.  This will be hosted at an ISP and we will update SQL nightly.  I have heard of NT authentication and authentication based on usernames/passwords stored in a database.  Security is important but this isn't ultra-critical info.  I am really clueless when it comes to the whole realm of authentication.  Some suggestions as to the best method, pointers, authentication samples, links, whatever...would be helpful.  I appreciate whatever help anyone could offer.
Question by:vfafel
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 2732201

It all depends on how sensitive the data is that your Web site visitors are receiving and sending to your SQL server.  Purchasing a certificate provider like Verisign is the type of action that most sites employ.  The user will require a 128-bit browser and a userid/password.  This will work if you are setting up a secure server (https).

You could also create your own certificates, an option that the Microsoft IIS server has.  We have a developer on site here that used that method as opposed to purchasing certificate authority products like Verisign or Thawte.

But is the purpose is just to have a record of who accesses your server, but the data is not sensitive or confidential, then the userid/password would be fine.

Hope this helps, good luck!


Expert Comment

ID: 2732305
I apologize but my abilities are not to the point where i even understand your response.  Could you back up a little and help me with the basics.  I am looking to allow web site functionality based on a successful authentication (update customer information, pull data from the sql server, etc.)  Can you help me with the basics?

Expert Comment

ID: 2734446
Greetings vfafel,

This is question begs another "Just what, exactly, are you trying to achieve and what are the risks if your security model fails and the wrong person gets access to your data?"

Just a little basic background for you to consider.

NT security requires every user to have a username/password on the system. When an internet visitor accesses your website through IIS your web server acts for that visitor using a username/password created by IIS for that purpose. In fact (in this case) every internet visitor gets the same username/password identity.

That IIS identity has certain permissions granted to it so that the web server can do its job. These permissions are usually restricted to files and folders within the web site.

If you don't want to "muck around" with creating users and modifying NT file & folder permissions then IMHO your best bet is to use an authentication system based upon a log-on .asp connected to some database of users. (There are plenty of examples of this type of system available around the asp resource sites on the 'net)

Remember that access to your database by visitors from the internet is also granted through a similar username/password identity scheme for SQL Server. Normally these identities are created at install-time and it all functions pretty-much invisibly :^

If you need to make use of NT file and folder level security then you will need to consider creating NT users and modifying the permissions in both IIS Manager and your NT file system. As you said that the site will be hosted by an ISP then you may not get access to this level of security as it has been my experience that Hosting ISP's are a littl bit sensitive to letting someone modify their servers at that level.

Hope this helps.
Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.


Accepted Solution

tcurtin earned 100 total points
ID: 2734519
If you are using NT4 with IIS4 and if this is an Intranet: 1)you can set security permissions at the web site folder through NT Permissions. 2)You should also goto Start/Programs/Window NT4 Option Pack/Internet Information Server and select your site. Right-click and goto properties. Select 'Directory Security' and add remove 'Allow Anonymous Access'. That is the IUSR_<Machine>' account. The calling user will get denied and IE or Netscape will generate a logon back to the user and attempt to login again. Users will also need to be set up in SQL Server.

Expert Comment

ID: 2734554
Thank you noonie...very helpful...a few follow-ups...
1.  what does IMHO stand for?

2.  IMHO seems to be the better alternative for me...are there any obvious problems with the following scenario:
    a.  an ASP login screen to initialize authentication

    b.  all pages designed to enter orders and retrieve data can utilize the authentication information to append and update info on my "DSN" referenced database (and access to certain data retrieval pages which query SQL data based on the login username and ID).

    c.  Am i correct in assuming that by using IMHO, the security is handled by the ASP authentication and a "guest" account is used by the IIS to access the SQL server database?

A technical question - does each protected page have to have a reference indicating whether a successful login was acheived...i have seen some references but am not real clear....

Thank you for your help...

Expert Comment

ID: 2736768
1. IMHO (in my humble opinion)

2. a. This method is used widely. If the username/password is sensitive you can add an extra level of security using SSL, if your Hosting ISP provides that service and the cost of a certificate is within your project budget.

   b. You can place information relating to a successful log-in (or not) within the session object or you can use cookies.

   c. You assume correctly.

To do it correctly you should have a test on each page as to the log-in status (b) and redirect to the log-in page if the test fails. I also implement a system of recording all log-in attempts to an audit table.

In practice it all depends upon the level of security you need, the time you have to do it in and the risks involved if your security is breached.


Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question