We have an old web app in ASP.NET 1.1. This web app has been working as an intranet application (only inside our LAN). As we have opened offices outside our local building, we are planning to let our web app be accessed by our outside users through Internet. All users (inside or outside) have an Active Directory account.
Beacuse this web app has sql statements inside the vb code source, we are afraid of sql injections.
For minimizing risk of sql injection and for other security reasons, we are planning to authenticate access to our web app through Active Directory.
We have developed a component (dll) that receives UserId and Password as parameters and checked them with AD. We are planning to use our function in the Login page and also every aspx.vb page, in its Page_Load procedure, will call our function Authentication_In_AD(UserI
d, password), so we will be sured that every page is authenticated.
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
sUserId = Context.Items("UserId").ToString;
sPassword = Context.Items("Password").ToString;
'' if it's not possible to use Context.Items in the page,
'' then we will use Session("UserId") and Session("Password")
If Authenticate_In_AD(sUserId,sPassword) = False Then
'' Don't get access to page
'' Get access to page
'' rest of code
We think that the only way to store UserId and Password and be accesible in every page or passed as parameters from page to page, is using session variables like Session("UserId") and Session("Password"). My question is:
- Are Session variables a safe way to store sensitive values like UserId or Password? Would be another safer way?
- Is it a good idea to authenticate user in every aspx page?