Link to home
Start Free TrialLog in
Avatar of vfafel
vfafel

asked on

What authentication method to use?

I am a newbie web developer.  I am embarking on my 1st major web site development.  This site needs user authentication to access SQL Server data (raw data to html and also Crystal Reports web interface info).  I will be using Frontpage/Visual Interdev, IIS, Windows NT, ASP, etc.  I am trying to determine which authentication method I should use, why, and what are the advantages/disadvantage to whatever method you would recommend.  This site will be used to update vendor information and to provide data to our customers.  This will be hosted at an ISP and we will update SQL nightly.  I have heard of NT authentication and authentication based on usernames/passwords stored in a database.  Security is important but this isn't ultra-critical info.  I am really clueless when it comes to the whole realm of authentication.  Some suggestions as to the best method, pointers, authentication samples, links, whatever...would be helpful.  I appreciate whatever help anyone could offer.
Avatar of GMCarr
GMCarr

Hello:

It all depends on how sensitive the data is that your Web site visitors are receiving and sending to your SQL server.  Purchasing a certificate provider like Verisign is the type of action that most sites employ.  The user will require a 128-bit browser and a userid/password.  This will work if you are setting up a secure server (https).

You could also create your own certificates, an option that the Microsoft IIS server has.  We have a developer on site here that used that method as opposed to purchasing certificate authority products like Verisign or Thawte.

But is the purpose is just to have a record of who accesses your server, but the data is not sensitive or confidential, then the userid/password would be fine.

Hope this helps, good luck!

I apologize but my abilities are not to the point where i even understand your response.  Could you back up a little and help me with the basics.  I am looking to allow web site functionality based on a successful authentication (update customer information, pull data from the sql server, etc.)  Can you help me with the basics?
Greetings vfafel,

This is question begs another "Just what, exactly, are you trying to achieve and what are the risks if your security model fails and the wrong person gets access to your data?"

Just a little basic background for you to consider.

NT security requires every user to have a username/password on the system. When an internet visitor accesses your website through IIS your web server acts for that visitor using a username/password created by IIS for that purpose. In fact (in this case) every internet visitor gets the same username/password identity.

That IIS identity has certain permissions granted to it so that the web server can do its job. These permissions are usually restricted to files and folders within the web site.

If you don't want to "muck around" with creating users and modifying NT file & folder permissions then IMHO your best bet is to use an authentication system based upon a log-on .asp connected to some database of users. (There are plenty of examples of this type of system available around the asp resource sites on the 'net)

Remember that access to your database by visitors from the internet is also granted through a similar username/password identity scheme for SQL Server. Normally these identities are created at install-time and it all functions pretty-much invisibly :^

If you need to make use of NT file and folder level security then you will need to consider creating NT users and modifying the permissions in both IIS Manager and your NT file system. As you said that the site will be hosted by an ISP then you may not get access to this level of security as it has been my experience that Hosting ISP's are a littl bit sensitive to letting someone modify their servers at that level.

Hope this helps.
ASKER CERTIFIED SOLUTION
Avatar of tcurtin
tcurtin

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you noonie...very helpful...a few follow-ups...
1.  what does IMHO stand for?

2.  IMHO seems to be the better alternative for me...are there any obvious problems with the following scenario:
    a.  an ASP login screen to initialize authentication

    b.  all pages designed to enter orders and retrieve data can utilize the authentication information to append and update info on my "DSN" referenced database (and access to certain data retrieval pages which query SQL data based on the login username and ID).

    c.  Am i correct in assuming that by using IMHO, the security is handled by the ASP authentication and a "guest" account is used by the IIS to access the SQL server database?

A technical question - does each protected page have to have a reference indicating whether a successful login was acheived...i have seen some references but am not real clear....

Thank you for your help...
1. IMHO (in my humble opinion)

2. a. This method is used widely. If the username/password is sensitive you can add an extra level of security using SSL, if your Hosting ISP provides that service and the cost of a certificate is within your project budget.

   b. You can place information relating to a successful log-in (or not) within the session object or you can use cookies.

   c. You assume correctly.

To do it correctly you should have a test on each page as to the log-in status (b) and redirect to the log-in page if the test fails. I also implement a system of recording all log-in attempts to an audit table.

In practice it all depends upon the level of security you need, the time you have to do it in and the risks involved if your security is breached.