I'm putting together a website that requires users to login with a username and password in order to access certain parts of the website. Can anyone point me to some resources that will help answer the following questions:
Best way to store and transmit username/passwords in a SQL database
Should the passwords be encrypted prior to sending them to the SQL Server for verification? Best method?
How do you store the user login information in their session state?
How do I secure pages so that if a user is not logged on, they cannot access them?
A little bit more information about the site I'm building. It's a website for my family to share information about current events with the rest of the family. They want the login as a security measure because they are worried about privacy, plus they want to be able to maintain family profiles with current information (i.e. mailing address, phone numbers, etc.) and this way only their family will be able to edit that information. Due to the constraints of my web host, I don't believe there is a way for me to get a security certificate on the server so logging in via HTTPS is a non-starter for me. Lastly, I'm writing this in ASP.NET with C# code-behind so if you have links to any samples it would be great if they were written in C#. Thanks in advance for any help you're able to offer.1. Store the username in plain text, but store the password using one-way hashing. (MD5). This way, not even the db administrator can look at the password. Whenever a user on the website attempts to log in, your subroutine should MD5 that same password and compare it with the value in the database. If they match, then let them login.
2. ^^
3. Once the user logs in, retrieve their info from the database, and add it to the session variable, like so:
Session["currentlocation"] = "London";
4. There are thousands of ways to do this. The simplest is, check for values in the session variable. If values exist, then let the user use the page, else send them to the login page. Or, look for a cookie.
Thanks for the reply, that's working great now. I even found the MD5CryptoServiceProvider in C# that makes it really simple. If anyone else is interested, this is a very simple function I wrote up to handle the conversion from plain text to encrypted text.
using System.Security.Cryptography;
public string MD5Encrypt (string data)
{
MD5 md5 = new MD5CryptoServiceProvider();
byte [] result = md5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(data));
return Convert.ToBase64String(result, 0, result.GetLength(0));
}
Thanks for that function, Gimpster!
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment