This tutorial explains Authentication:
What it is, how you work with it, and what
options are currently available to you.
Then each choice is described in more detail
to help you decide which is the best
way for you.
What is Authentication?
Let's assume you want to restrict access to selected portions
of your website.
For example, you might have valuable information, such as real-time
stock quotes (like Reuters or Datastream),
or you want to charge a monthly fee in
order to access your database.
In these cases, you want to let people in,
but only after checking that visitors have used an
authorized username and password.
Additionally, you might want to provide
access to the bulk of your website for the
simple price of a visitor's email address,
creating an effective method for tracking visitors.
Asking a visitor for their username and password (or their
called Authentication. On the world wide web, the oldest
and most widely supported authentication
method is Basic Authentication.
What are my choices?
Assuming you have the latest and greatest IIS,
you have several choices when working with authentication including:
IIS NT Challenge Response
A good choice if if you are on a Windows Network, you can require the use of
IE, and there's no proxy-server between the browser and the server.
Another good option, with the some of the same set backs as NT Challenge Response.
You cannot protect non-asp pages, without a significant performance hit.
Supports forms based authentication, passport authentication, and Windows authentication, but not basic authentication.
A single web.config file contains the information related to the level and type of authentication service.
IIS Basic Authentication
Can expose your NT usernames and passwords
unless all connections are over SSL.
A Basic Authentication filter such as
Cannot compromise NT accounts. High performance, large numbers of users.
Can validate against ODBC or internal database. Many advanced features.
Write your own filter
Flexible, but resource intensive to build.
Similar to NTLM (using a challenge response protocol - although it does not
provide for mutual authentication), this authentication method
may weaken password storage security significantly.
Cookie Based Authentication with ASP pages
Only protects ASP pages. Can be slow. Requires cookies.
Cookie-based systems can be susceptible to spoofing.
Self-Authenticating ISAPI dlls, CGI-scripts using Basic Authentication.
Good performance, all content generated
though a single URL. Doesn't use conventional directory/file/html format.
Secure, but intimidating for webmasters and surfers alike. Requires SSL.
Kevin Flick, Flicks Software
I would like to express my
thanks for the feedback on the final proofs of this article to:
Steve Smith of AspAlliance.com
Mike Riley of rileycommunications,
Michael Howard of Microsoft, and
Charles Carrol of thebestweb.com.
Any errors or ommissions however are
entirely my own.