I am writing an application which uses WCF in order to communicate with Web Services. A database is also used to store user-related data, such as credentials. The passwords in the DB are hashed + salted.

The user has to manually login using a username and password, which is provided to him. The application then uses a proxy in order to communicate with the Web Service in charge of the authentication. The Web Service then checks if the user exists and returns data to the client, which then displays the data. Otherwise, an error is shown if the credentials are invalid or the server unreachable.

My questions:

• In order to reduce the amount of work done by the Web Services, I wanted the authentication process to be done by the client. In other words, The client sends a username to the Web Service, which then checks in the database if an entry exists for that username in the “Users” table exists. If it does, the Web Service returns the hashed and salted password (from the DB) to the client. The client then compares the password entered by the user with the hashed/salted password obtained. No decryption is done, the entered password is just hashed using the same salt bytes and the passwords compared.

  Is this acceptable behavior ?

• How should I proceed if the provided username is not found in the DB ? Should the server throw an exception, which is then handled by the client ? Or should I divide the authentication part in two steps:

  1) Make sure the user exists.

  2) Fetch the encrypted password from the DB.

  The first step would then return a certain value which is understood by the client as meaning “the user does not exist” (ex: boolean value “False”).