1

Am failry new to authentication logic, would anyone be able to tell me if I am missing something here as it seems a little too good to be true. I validate users using something like this;

        if (validateUser(form.Email, form.Password))
        {
            return signIn(form.Email);
        }

the validateUser function returns a boolean value. Sign in then does something like this;

    public void signIn(string email)
    {
        FormsAuthentication.SetAuthCookie(nameOfUser, false);
    }

Which will subsequently allow me to do things like this for all future requests;

string userEmail = User.Identity.Name;
Profile p = Profile.getProfileFor(userEmail);

This seems a little too simple to be safe! Is there anything I'm missing here / any blindingly obvious security risks? Or is this basically how it's done?

Regards,

Mike

Improve this question
1
  • What makes you think that it is not safe? Commented Mar 12, 2012 at 10:12

3 Answers 3

Reset to default
2

There is so much more you can do with security:

  • Encrypt the password
  • Log every login attempt with IP address to identify attacks

  • Use an integer identity column instead of email:

    This will make the app leaner and faster.

    If you use a number instead of email a hacker would have a harder time associating the information(user) to hack. You can learn so much from a user just by having his email

.

  • Cache the identity
  • Use roles
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

In theory you should use HTTPS to avoid man in the middle attacks but this is not something done in code. Also it is not obvious from your code if you are hashing the passwords as you should be.

BTW the .NET convention is to use PascalCase for method names.

Improve this answer

Comments

1

That is how it is done, correct.

The only security risk to note is the same as with all form posts, in that all values entered by the end-user into the browser are sent back to the server in plain text, including the password. So, this exposes the possibility of someone trying to sniff the traffic for passwords, for which you can use https to get around that problem.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.