forms authentication
- ticket or token based
- when logged in, recieve a ticket with basic info
- stored in an encrypted cookie
- attached to the response
- automatically submitted on each subsequent request
- careful of replay attack - good reason to have SSL througout site
- MD5 vs SHA1 (from msdn)
- Each one of the hashing algorithms presented performs the same type of operation. The differences between them are simply in the size of the key used to produce the hash. The larger the key used, the stronger the encryption. For example, SHA1 uses a 160-bit encryption key, whereas MD5 uses a 128-bit encryption key; thus, SHA1 is more secure than MD5 and thus is a much harder hash to break.
Another point to consider about hashing algorithms is whether or not there are practical or theoretical possibilities of collisions. Collisions are bad since two different words could produce the same hash. SHA1, for example, has no practical or theoretical possibilities of collision. MD5 has the possibility of theoretical collisions, but no practical possibilities. So choosing an algorithm comes down to the level of security you need.
- SHA1 is harder to break - but also slower to process...
- controlled in Web.config file (top-level ONLY)
- set up so anonymous users don't have access
- on a folder level
- if ticket not there, redirected to page of choice
- FormsAuthentication class
- Why use this?
- full control over the authentication code
- doesn't use external system, like Windows Authentication or LDAP
- full control over the appearance of the login form
- Winodws Authentication is dependant upon the browser and with Passport you must leave the site
- works in all browsers
- even mobile devices that don't use html
- allows you to decide how to store user information
- Forms Authentication is well tested...
- like php - the initial collection of username/password is sent in the clear
- Storing user information
- web.config file
- other data collection (db)