?
Solved

Shared PC Authentication

Posted on 2005-04-28
7
Medium Priority
?
306 Views
Last Modified: 2010-04-07
I work in an environment where some employees have traditional offices and their own PC's while other employees share a computer that is logged on with a non-user-specific Active Directory account.  My problem is that I need a best practice scenario on how I should be authenticating any asp.net apps I write.

Options as I see them are:

1.  Bite the bullet and give every user their own logon, put them in security groups and use Windows Integrated Security.
   Pros - Highest level of granular security.
   Cons - Shared PC areas have higher turnover so this will generate more work for the systems people to create accounts.  Users would have to remember their
   password for applications and the generic username/password to login to the machine.

2.  Use a SQL Server Table to "roll my own" forms based security.  
   Cons - More development time in checking each page for a logged in variable and then redirecting to a login page if none exists.  Un/Pw passed in clear text of query.
   Pros - Database is already created and populated (previous app. developer did it)

Again, my base question is, "Given the scenario of some people with their own PC's (and usernames) as well as some people with shared PC's (and shared usernames), what would be the best way to secure any new applications?

Thanks,
Jerod
0
Comment
Question by:prairieits
  • 4
  • 3
7 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 13885568
Have you looked at asp.net Forms Authentication?  the whole concept of "checking each page for a logged in variable and then redirecting to a login page if none exists." is gone now...all done automatically and rather securely.

--Michael
0
 
LVL 4

Author Comment

by:prairieits
ID: 13885601
I knew about forms based, but I thought that required me to write logic to check/secure each page.  I guess I need to go read about it some. :)

Thanks for the tip,
Jerod
0
 
LVL 33

Expert Comment

by:raterus
ID: 13885751
nope, it can all be configured in web.config, on a page/directory basis.  The only thing it doesn't allow for is differing levels of access to the same page, that is up to you at that point, though this would be true of windows authentication as well.

--Michael
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:prairieits
ID: 13885877
That said, let's say I have a page on which I only want to show the button for "Administrative Reports" to people in "Management" AD group.  Would I need to set a session variable at the point of their initial authentication that I would check to see if that authenticated user has enough security to see the button? (ie session variable "admin" is set to 1 for true, 0 for false)

Thanks,
Jerod
0
 
LVL 33

Accepted Solution

by:
raterus earned 2000 total points
ID: 13886045
Yes, I would suggest doing that.  To add to that, I'd really create your own object, "InternetUser" or something, which describes a user of your site.  This could have anything, username, administrative rights, email, title, phone, you name it.  Then you turn around and assign this whole object to the session.

Then, to plug this into every page, I'd create a base page "MyAppBase", which you have a property which accesses this object in the session, for example

Public Class MyAppBase : Inherits System.Web.UI.Page
  Public Readonly Property LoggedInUser as InternetUser
    If Session("LoggedInUser") is nothing then
      'create new user, session must have timed out, but they are still authenticated
      Session("LoggedInUser") = CreateNewUser(Context.User.Identity.Name)
    end if

    Return DirectCast(Session("LoggedInUser"), InternetUser)
  End Property
End Class

Then in each of your codebehinds, instead of "Inherits System.Web.UI.Page", you replace it with "Inherits MyAppBase", It's a much easier/shared way of doing it, rather than making calls to the session in each page.
0
 
LVL 4

Author Comment

by:prairieits
ID: 13886095
Awesome info.  Thanks so much for your help!

I haven't implemented your suggestions yet (obviously), but I understand the concepts so I will close this out and go give it heck. :)

Thanks,
Jerod
0
 
LVL 33

Expert Comment

by:raterus
ID: 13886544
I hope you find that it works well, I've never had a problem with the strategy.
--Michael
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses
Course of the Month17 days, 1 hour left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question