Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 193
  • Last Modified:

Application Login/Password problem

Hi people, a little nice question for you :

I got a web site with ASP.NET Web configuration (So in SQL I have the aspnet tables for roles, membership, users etc.) Passwords are encrypted so i got a MachineKey SHA1 in web.config

I have also a application with a web service. Thats only because I dont want users to have access to connection strings and functions of SELECT/UPDATE/INSERT etc.

When the client application starts, I ask for Username/PAssword wich would be the same as the login of the web site. But my web site check automatically if the login is good so I dont have to code it because of asp.net 2.0  

But my application...How could I check if the login/password he enters correspond to the SQL table aspnet.Membership  if the password is encryped ??
Im sure there is an easy way but I dont know it

Do you understand what I mean

Thank you.
  • 4
  • 4
1 Solution
Ted BouskillSenior Software DeveloperCommented:
Do you realize that using a web service instead of a data access layer will kill performance?  Why aren't you creating DLL's with functions that acess the SQL database preferably via stored procedures.
PhilippeRenaudAuthor Commented:
The only reason why I wanted to do that with a Web Service is because Im sure it is possible for some people enough smart to go see whats in the code behind even if i create a .exe and or Dll's. If they success that, they can see connectionStrings, SQL database name etc. With the web service I no longer have the problem.

For exemple, what do you think Internet Games like PartyPoker does ? They have a web site login/pass and the application (same credentials) and you cna play. do you think they are using a web serice
Ted BouskillSenior Software DeveloperCommented:
Well to be honest, if your IIS server is configured properly a user will NEVER touch a DLL or EXE, therefore they will never see the connection strings.  Anything in the bin directory stays on the server and the user never touches them.

However, it sounds like you might have built a smart client application and distribute DLL's to the client.  Am I correct?

If yes, then you should be aware of one serious flaw in Java and .NET applications.  The binaries can be reversed engineered unlike C/C++ applications.

You can use a code obfuscator to make it more difficult to reverse engineer and you can also store the SQL string as an encrypted string, then decrypt it on the fly.

Otherwise as you can see you are going to create complexity by creating your own authentication scheme.   By the way, the way Windows and UNIX authentication works is they compare encrypted passwords using a one way encryption.  Passwords cannot be decrypted.

So in your case you would stored encrypted passwords in the database and compare encrypted passwords.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

PhilippeRenaudAuthor Commented:
Yes I need to distribute an EXE to clients. but they .exe need to establish a connection with my Server application because this server application have the functions for SQL stored procs in my SQL Database. So I think I need that web service. that way, I no longer have the problem of the flaw like you said. Everything is secured. But you just said in another message that that could kill performence... ?  Can you explain a little more why? I mean If I rent a powerful server (even 2 or 3)  won't I be ok ?
Ted BouskillSenior Software DeveloperCommented:
How will you secure access to the web service?  If you don't anyone can use the web service.  Which means you are back to the same problem, where do you store the username/password for the web service on the client?

Web services are all via XML and it is a very chatty protocol.  It's a useful mechanism mixing hetrogeneous technology, like getting .NET to talk to a Java server for example.  However, it adds a great deal of overhead.

I've actually done performance comparisons.  Even for a very small dataset a web service was about 100 times slower than a direct call to a SQL server using a data access layer.

It's not the speed of the server that is the problem, it is the latency of doing transactions over a network.  That is your limiting factor for web services.
PhilippeRenaudAuthor Commented:
So what is your solution do you think?
I think you understand what I want to do so...  When You say use a DAL...give me an example because I though the web service "WAS" the good solution.

PhilippeRenaudAuthor Commented:
ok this is my question for you:   What can I do if the clients are all around the world so yes its public. (no intranet)  what are my options if web service is not the good solution.  you were saying DAL ... ?   (do you want me to start a new questions with new points, I dont care)
Ted BouskillSenior Software DeveloperCommented:
Hi, DAL is short for Data Access Layer and actually both a web service or ADO.NET would need a DAL.  Let me explain.

I'm going to assume you have a windows form that has a grid view or UI elements that display data from a remote server.  The client-side code that you write to contact the remote server, get the data and then populate the form is the data access layer.

So your client code (DAL) has to:
1) Prepare the data request
2) Connect to the remote server
3) Authenticate (to make sure you are allowed to access the data)
4) Request the data
5) Receive the data
6) Disconnect

The key is you have choices on how to do the previous steps.  What is important is which is the most secure, reliable and has the best performance.

Without writing your own custom TCP/IP protocol (which would be very difficult) and knowing your remote server is SQL 2005 you have three choices: .NET Remoting, Web Service or ADO.NET.  The first two use XML which greatly expands the amount of data sent back and forth because everything is text data and you have the text tags wrapped around it.

With all three you will need to configure authentication to gain permission to access the data.  Otherwise anyone using the right tools could connect to your data source remotely.  All three can use Windows Authentication, Username/Password or a Certificate which is installed on the client!  (we will get back to that)

Using SSL with all three is important because it will protect the packets and encrypt them from prying eyes.  SSL also expands data transmitted because to secure the data it is mixed into larger chunks.  So, with a verbose protocol like XML, SSL data transmitted gets very large (hence slow)

As I said I've setup remote data connections using all three and timed them.  .NET Remoting was the slowest, following by Web Services and ADO.NET was by far the fastest.

So, another choice is how to connect to the remote server using your client code.  For one, I always make sure that client's access data on a 'need to know' basis.  In other words, accounts that can be used remotely have very restricted access to only the data they need.  The reason being is that it restricts the amount of damage a hacker could do if the account is stolen.

If you build a certificate into your code and distribute both the DLL's and the certificate to the client then you don't need to store a username/password in the client code.  However, certificates are more difficult to setup and distribute but they are VERY secure.

In business applications I write I don't bother to encrypt the username/password in the client code because the account usually has weak permissions.  They can't do anything more dangerous than what they could do with the UI.  However, encrypted SQL connection strings in your client-code is trivial so you can prevent them from using it if necessary.

Finally, the biggest risk to your server is having a port exposed to the internet for your customers to connect to the data server.  All three choices require an open port and hackers could attempt to break into the port.

For all three choices I'd recommend you use a non-standard port because hacking software only looks for default ports like port 1433 for SQL or port 80 for websites.  They don't scan all the port numbers because then firewall's could detect the activity and they could get caught.

Sorry for the long explaination but what you are trying to build is actually an advanced topic and there is a lot of knowledge required to safely build internet applications.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now