We help IT Professionals succeed at work.

Application Login/Password problem

219 Views
Last Modified: 2013-11-26
Hi people, a little nice question for you :

I got a web site with ASP.NET Web configuration (So in SQL I have the aspnet tables for roles, membership, users etc.) Passwords are encrypted so i got a MachineKey SHA1 in web.config

I have also a application with a web service. Thats only because I dont want users to have access to connection strings and functions of SELECT/UPDATE/INSERT etc.

When the client application starts, I ask for Username/PAssword wich would be the same as the login of the web site. But my web site check automatically if the login is good so I dont have to code it because of asp.net 2.0  

But my application...How could I check if the login/password he enters correspond to the SQL table aspnet.Membership  if the password is encryped ??
Im sure there is an easy way but I dont know it

Do you understand what I mean

Thank you.
Comment
Watch Question

Ted BouskillSenior Software Developer
CERTIFIED EXPERT
Top Expert 2009

Commented:
Do you realize that using a web service instead of a data access layer will kill performance?  Why aren't you creating DLL's with functions that acess the SQL database preferably via stored procedures.

Author

Commented:
The only reason why I wanted to do that with a Web Service is because Im sure it is possible for some people enough smart to go see whats in the code behind even if i create a .exe and or Dll's. If they success that, they can see connectionStrings, SQL database name etc. With the web service I no longer have the problem.

For exemple, what do you think Internet Games like PartyPoker does ? They have a web site login/pass and the application (same credentials) and you cna play. do you think they are using a web serice
Ted BouskillSenior Software Developer
CERTIFIED EXPERT
Top Expert 2009

Commented:
Well to be honest, if your IIS server is configured properly a user will NEVER touch a DLL or EXE, therefore they will never see the connection strings.  Anything in the bin directory stays on the server and the user never touches them.

However, it sounds like you might have built a smart client application and distribute DLL's to the client.  Am I correct?

If yes, then you should be aware of one serious flaw in Java and .NET applications.  The binaries can be reversed engineered unlike C/C++ applications.

You can use a code obfuscator to make it more difficult to reverse engineer and you can also store the SQL string as an encrypted string, then decrypt it on the fly.

Otherwise as you can see you are going to create complexity by creating your own authentication scheme.   By the way, the way Windows and UNIX authentication works is they compare encrypted passwords using a one way encryption.  Passwords cannot be decrypted.

So in your case you would stored encrypted passwords in the database and compare encrypted passwords.

Author

Commented:
Yes I need to distribute an EXE to clients. but they .exe need to establish a connection with my Server application because this server application have the functions for SQL stored procs in my SQL Database. So I think I need that web service. that way, I no longer have the problem of the flaw like you said. Everything is secured. But you just said in another message that that could kill performence... ?  Can you explain a little more why? I mean If I rent a powerful server (even 2 or 3)  won't I be ok ?
Ted BouskillSenior Software Developer
CERTIFIED EXPERT
Top Expert 2009

Commented:
How will you secure access to the web service?  If you don't anyone can use the web service.  Which means you are back to the same problem, where do you store the username/password for the web service on the client?

Web services are all via XML and it is a very chatty protocol.  It's a useful mechanism mixing hetrogeneous technology, like getting .NET to talk to a Java server for example.  However, it adds a great deal of overhead.

I've actually done performance comparisons.  Even for a very small dataset a web service was about 100 times slower than a direct call to a SQL server using a data access layer.

It's not the speed of the server that is the problem, it is the latency of doing transactions over a network.  That is your limiting factor for web services.

Author

Commented:
So what is your solution do you think?
I think you understand what I want to do so...  When You say use a DAL...give me an example because I though the web service "WAS" the good solution.

Author

Commented:
ok this is my question for you:   What can I do if the clients are all around the world so yes its public. (no intranet)  what are my options if web service is not the good solution.  you were saying DAL ... ?   (do you want me to start a new questions with new points, I dont care)
Senior Software Developer
CERTIFIED EXPERT
Top Expert 2009
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.