I'm in the process of designing a web application for the Internet (ie: non secure) I have to decide on the best authentication/authorization method for my scenario.
The scenario is as follows:
I have an arbitrary number of users using my application. Every user has to be authenticated. Each authenticated user belongs to a user group and each group has it's own database and sub-application permissions. Each group will have access to some reports and other data outputs.
The main authentication methods are:
Windows - can not use as all internet users will require windows accounts
Passport - it's a 3rd party and pay service
Certificate - Not feasible here
Forms(cookies) - This will be a problem as cookies can be hacked and the user can gain full access.
The last one would be session variables.
1) What are the big pros and cons with this method?
2) Can a user just somehow hack his own session variables and destroy my authentication method?
3) Are there major restrictions on the session variables?