Home/ Questions/Q 803705
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T23:48:08+00:00

I have a fairly complex business application written in ASP.NET that is deployed on

  • 0

I have a fairly complex business application written in ASP.NET that is deployed on a hosted server. The site uses Forms Authentication, and there are about a dozen different roles defined. Employees and customers are both users of the application.

Now I have the requirement to develop a Windows Mobile client for the application that allows a very specialized set of tasks to be performed from a device, as opposed to a browser on a laptop. The client wants to increase productivity with this measure. Only employees will use this application.

I feel that it would make sense to re-use the security infrastructure that is already in place. The client does not need offline capability.

My thought is to deploy a set of web services to a folder of the existing site that only the new role “web service” has access to, and to use Forms Authentication (from a Windows Mobile 5/.Net 3.5 client).

I did see this question and I am aware of the limitations that Forms Authentication poses. Since security is not my primary motivator (I use SSL and can restrict access by IP address), but rather using existing user accounts and roles, my decision tree is somewhat different as well.

Can I do this, is it a good idea, and are there any code examples/references that you can point me to?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I ended up with a combination of things. First, forms authentication does not really work in this scenario, because of the redirects that you get when a users is not logged in or the credentials are incorrect.

    Because I want to use the user accounts from the web app, I worked around this by just calling Membership.ValidateUser prior to processing each service call on the server.

    A user is prompted for an id and password when logging on to the client. I store both values encrypted in the proxy class and pass them transparently with each call using a host header, so that the application does not have to bother with this once the user is logged in, i.e. the credentials were validated once by calling the Login() service method (which only calls Membership.ValidateUser).

    I use the CryptoApi on both the server and the client side.
    I understand that host headers are somewhat outdated for security applications, but since I use strong encryption AND SSL, it is perfectly adequate.

    • 0