Solved

What authentication method to use?

Posted on 2000-04-19
6
269 Views
Last Modified: 2012-05-05
I am a newbie web developer.  I am embarking on my 1st major web site development.  This site needs user authentication to access SQL Server data (raw data to html and also Crystal Reports web interface info).  I will be using Frontpage/Visual Interdev, IIS, Windows NT, ASP, etc.  I am trying to determine which authentication method I should use, why, and what are the advantages/disadvantage to whatever method you would recommend.  This site will be used to update vendor information and to provide data to our customers.  This will be hosted at an ISP and we will update SQL nightly.  I have heard of NT authentication and authentication based on usernames/passwords stored in a database.  Security is important but this isn't ultra-critical info.  I am really clueless when it comes to the whole realm of authentication.  Some suggestions as to the best method, pointers, authentication samples, links, whatever...would be helpful.  I appreciate whatever help anyone could offer.
0
Comment
Question by:vfafel
6 Comments
 

Expert Comment

by:GMCarr
ID: 2732201
Hello:

It all depends on how sensitive the data is that your Web site visitors are receiving and sending to your SQL server.  Purchasing a certificate provider like Verisign is the type of action that most sites employ.  The user will require a 128-bit browser and a userid/password.  This will work if you are setting up a secure server (https).

You could also create your own certificates, an option that the Microsoft IIS server has.  We have a developer on site here that used that method as opposed to purchasing certificate authority products like Verisign or Thawte.

But is the purpose is just to have a record of who accesses your server, but the data is not sensitive or confidential, then the userid/password would be fine.

Hope this helps, good luck!

0
 

Expert Comment

by:scooterhead
ID: 2732305
I apologize but my abilities are not to the point where i even understand your response.  Could you back up a little and help me with the basics.  I am looking to allow web site functionality based on a successful authentication (update customer information, pull data from the sql server, etc.)  Can you help me with the basics?
0
 
LVL 1

Expert Comment

by:noonie072398
ID: 2734446
Greetings vfafel,

This is question begs another "Just what, exactly, are you trying to achieve and what are the risks if your security model fails and the wrong person gets access to your data?"

Just a little basic background for you to consider.

NT security requires every user to have a username/password on the system. When an internet visitor accesses your website through IIS your web server acts for that visitor using a username/password created by IIS for that purpose. In fact (in this case) every internet visitor gets the same username/password identity.

That IIS identity has certain permissions granted to it so that the web server can do its job. These permissions are usually restricted to files and folders within the web site.

If you don't want to "muck around" with creating users and modifying NT file & folder permissions then IMHO your best bet is to use an authentication system based upon a log-on .asp connected to some database of users. (There are plenty of examples of this type of system available around the asp resource sites on the 'net)

Remember that access to your database by visitors from the internet is also granted through a similar username/password identity scheme for SQL Server. Normally these identities are created at install-time and it all functions pretty-much invisibly :^

If you need to make use of NT file and folder level security then you will need to consider creating NT users and modifying the permissions in both IIS Manager and your NT file system. As you said that the site will be hosted by an ISP then you may not get access to this level of security as it has been my experience that Hosting ISP's are a littl bit sensitive to letting someone modify their servers at that level.

Hope this helps.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 3

Accepted Solution

by:
tcurtin earned 100 total points
ID: 2734519
If you are using NT4 with IIS4 and if this is an Intranet: 1)you can set security permissions at the web site folder through NT Permissions. 2)You should also goto Start/Programs/Window NT4 Option Pack/Internet Information Server and select your site. Right-click and goto properties. Select 'Directory Security' and add remove 'Allow Anonymous Access'. That is the IUSR_<Machine>' account. The calling user will get denied and IE or Netscape will generate a logon back to the user and attempt to login again. Users will also need to be set up in SQL Server.
0
 

Expert Comment

by:scooterhead
ID: 2734554
Thank you noonie...very helpful...a few follow-ups...
1.  what does IMHO stand for?

2.  IMHO seems to be the better alternative for me...are there any obvious problems with the following scenario:
    a.  an ASP login screen to initialize authentication

    b.  all pages designed to enter orders and retrieve data can utilize the authentication information to append and update info on my "DSN" referenced database (and access to certain data retrieval pages which query SQL data based on the login username and ID).

    c.  Am i correct in assuming that by using IMHO, the security is handled by the ASP authentication and a "guest" account is used by the IIS to access the SQL server database?

A technical question - does each protected page have to have a reference indicating whether a successful login was acheived...i have seen some references but am not real clear....

Thank you for your help...
0
 
LVL 1

Expert Comment

by:noonie072398
ID: 2736768
1. IMHO (in my humble opinion)

2. a. This method is used widely. If the username/password is sensitive you can add an extra level of security using SSL, if your Hosting ISP provides that service and the cost of a certificate is within your project budget.

   b. You can place information relating to a successful log-in (or not) within the session object or you can use cookies.

   c. You assume correctly.

To do it correctly you should have a test on each page as to the log-in status (b) and redirect to the log-in page if the test fails. I also implement a system of recording all log-in attempts to an audit table.

In practice it all depends upon the level of security you need, the time you have to do it in and the risks involved if your security is breached.

0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
There’s a good reason for why it’s called a homepage – it closely resembles that of a physical house and the only real difference is that it’s online. Your website’s homepage is where people come to visit you. It’s the family room of your website wh…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question