Web Service Authentication...

Neil Toulouse · May 14, 2013

Hi guys

I have been tasked with setting up a fairly simple web service for a client, written in C#, in which I need to add some form of security, as it will be on an HTTPS link but accessible by the world. My C# knowledge is limited so I am looking for as simple a solution as possible.

My thought is to have the username/password stored in the web.config file, which is then used to check against what is passed on the call to a method in the web service. Should be simple enough (I guess!) but my Googling has turn up a large number of different solutions, with some people saying not to use them etc, so it has left me confused.

Could anyone point me to a tutorial of an accepted technique, that's simple to implement both from my end and the client's end (I have no idea what their front end will be).

Many thanks

I like work. It fascinates me. I can sit and look at it for hours...

Moregelen · May 14, 2013

Have you considered setting it up to use Active Directory? If they are running it on Windows Server anyway they likely have Active Directory available to them. And then if they are using the domain controller on the work computers, they now only have to have one set of credentials. Its nice. You can also set it so that if they are logged into the domain, the web application already knows who they are when they go to access the page, which is even nicer (though.. there can be some security considerations with that if you have users who leave their computers logged in on a regular basis).

Moregelen · May 14, 2013

And you asked for a tutorial...

This gives a nice starting point for using the LDAP:

http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx

Neil Toulouse · May 15, 2013

sounds like a nice solution! It might be a bit overkill at this stage for my needs but well worth a look

Thanks

I like work. It fascinates me. I can sit and look at it for hours...

Moregelen · May 15, 2013

You could also go the traditional web route where you have a database behind the scenes which you use to store information. And then you can just MD5 hash the passwords; when they try to log in, take what the password they enter, md5 hash that, compare with the database, if it matches, set a cookie with a session number in it which you can then track in the database. Most php websites use this method; they also tend to create a randomly generated (for the server, not per use) 'salt' that they throw onto the passwords before they hash it just to make things a little bit more confusing. If someone compromises your database it makes it a bit harder for them to be jamming in reset passwords if they can't access the file with the salt setting in it.

To be honest, I'm not sure of ASP.NET best practice for this, given that most of the websites I have designed were all done in PHP or RoR. I only really use C# for windows forms and console applications/services.

Neil Toulouse · May 15, 2013

Thanks Moregelen, I have a fair bit to look into now

I think the 'traditional' route will be the way to go with this solution, so I will look more into that.

Many thanks for your time

I like work. It fascinates me. I can sit and look at it for hours...

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Web Service Authentication...

Neil Toulouse

Programmer

Moregelen

Programmer

Moregelen

Programmer

Neil Toulouse

Programmer

Moregelen

Programmer

Neil Toulouse

Programmer

Similar threads

Part and Inventory Search

Sponsor