Home/ Questions/Q 112675
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T02:34:55+00:00

I’ve created an web authentication app using c# & asp.net and want to bounce

  • 0

I’ve created an web authentication app using c# & asp.net and want to bounce off how secure you think it is. All navigation is done by https.

User Registration

  1. User enters 3 datapoints (SSN,Lname and DOB). If that combination is found in our system, a session variable is set and navigates to next page.
  2. If session variable for #1 is set, proceed and ask for username, pwd, security q&A etc. Use Linq to save data and verify session variable before actual save event. PWD and security answer is hashed using salt and sha. (use validation controls and textbox limits to limit input)

Reset password

  1. Same as #1 in registration but includes username. If ok, set step 1 session variable.
  2. If step 1 session variable is set, ask security question up to 3x. Salt/hash and verify to database salt/hash. If match, set step 2 session variable.(use validation controls and textbox limits to limit input)
  3. Check for step 2 session variable. Ask for new pwd. Hash/salt and save using LINQ.

Login (use validation controls and textbox limits to limit input)

  1. Gather username and password. HASH/salt password that matches username and see if password matches hash. If okay, instatiate user objects and pass to default page.
  2. All pages inherit from masterpage. Masterpage has code to verify if user objects are set to a valid instance. If not valid user object, logoff is called which redirects to main login page.

Kind of wordy but wanted to be clear.

Am I missing anything here? I wanted to use MS’s forms auth but decided to roll my own as I had some issues getting some of the custom stuff I wanted done using FBA. By using session variables as step completion markers, does that adequately prevent session stealing or bookmarking? Is there a better way to do this?

Thoughts please?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. What aspect of either ASP.NET Forms Authentication or using the Membership Provider bits didn’t fit with your needs? I’ve found both to be very flexible in many different scenarios?

    Rolling your own is usually going to make life hard in the future, especially when you need to start making changes. Also your use of a master page to verify a users logon state etc might be fine for now, but when you require more master pages you then start needing to replicate the same blob of code in every masterpage and keep it all consistent. That can then become a maintenance nightmare somewhere down the road.

    If you’re not using the ready baked authentication tools in the framework you should be plumbing this kind of thing in somewhere else, such in an HttpModule.

    I think you should revisit what you’re doing. Take a look at implementing your own custom IIdentity objects if you need to hang user specific data/objects off of a user object. Then assign to a custom IPrincipal you can attach to Context.User in ASP.NET.

    @asp316 and @Jack (comment) I would advise grabbing these two books:

    Developing More-Secure Microsoft® ASP.NET 2.0 Applications by Dominick Baier

    Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow

    You’ll be surprised how flexible the built in security infrastructure in .NET really is. There’s a lot more to it than just adding a <authentication mode='Forms'> setting to your web.config and slapping a <asp:login runat='server'/> control on a page.

    • 0