Shared PC Authentication

I work in an environment where some employees have traditional offices and their own PC's while other employees share a computer that is logged on with a non-user-specific Active Directory account.  My problem is that I need a best practice scenario on how I should be authenticating any asp.net apps I write.

Options as I see them are:

1.  Bite the bullet and give every user their own logon, put them in security groups and use Windows Integrated Security.
   Pros - Highest level of granular security.
   Cons - Shared PC areas have higher turnover so this will generate more work for the systems people to create accounts.  Users would have to remember their
   password for applications and the generic username/password to login to the machine.

2.  Use a SQL Server Table to "roll my own" forms based security.  
   Cons - More development time in checking each page for a logged in variable and then redirecting to a login page if none exists.  Un/Pw passed in clear text of query.
   Pros - Database is already created and populated (previous app. developer did it)

Again, my base question is, "Given the scenario of some people with their own PC's (and usernames) as well as some people with shared PC's (and shared usernames), what would be the best way to secure any new applications?

Thanks,
Jerod
LVL 4
prairieitsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

raterusCommented:
Have you looked at asp.net Forms Authentication?  the whole concept of "checking each page for a logged in variable and then redirecting to a login page if none exists." is gone now...all done automatically and rather securely.

--Michael
0
prairieitsAuthor Commented:
I knew about forms based, but I thought that required me to write logic to check/secure each page.  I guess I need to go read about it some. :)

Thanks for the tip,
Jerod
0
raterusCommented:
nope, it can all be configured in web.config, on a page/directory basis.  The only thing it doesn't allow for is differing levels of access to the same page, that is up to you at that point, though this would be true of windows authentication as well.

--Michael
0
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

prairieitsAuthor Commented:
That said, let's say I have a page on which I only want to show the button for "Administrative Reports" to people in "Management" AD group.  Would I need to set a session variable at the point of their initial authentication that I would check to see if that authenticated user has enough security to see the button? (ie session variable "admin" is set to 1 for true, 0 for false)

Thanks,
Jerod
0
raterusCommented:
Yes, I would suggest doing that.  To add to that, I'd really create your own object, "InternetUser" or something, which describes a user of your site.  This could have anything, username, administrative rights, email, title, phone, you name it.  Then you turn around and assign this whole object to the session.

Then, to plug this into every page, I'd create a base page "MyAppBase", which you have a property which accesses this object in the session, for example

Public Class MyAppBase : Inherits System.Web.UI.Page
  Public Readonly Property LoggedInUser as InternetUser
    If Session("LoggedInUser") is nothing then
      'create new user, session must have timed out, but they are still authenticated
      Session("LoggedInUser") = CreateNewUser(Context.User.Identity.Name)
    end if

    Return DirectCast(Session("LoggedInUser"), InternetUser)
  End Property
End Class

Then in each of your codebehinds, instead of "Inherits System.Web.UI.Page", you replace it with "Inherits MyAppBase", It's a much easier/shared way of doing it, rather than making calls to the session in each page.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
prairieitsAuthor Commented:
Awesome info.  Thanks so much for your help!

I haven't implemented your suggestions yet (obviously), but I understand the concepts so I will close this out and go give it heck. :)

Thanks,
Jerod
0
raterusCommented:
I hope you find that it works well, I've never had a problem with the strategy.
--Michael
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.