Flicks Software



Instead of letting your members choose their own username, assign their email address as their username. Email addresses are perfect for usernames: they are hard to forget, and always unique!

FREE For DEVELOPERS! Click here to get a free Authentication Software Development Kit (SDK).

Page 1 of 4

Click here for Authentication Software
Click here for Flicks Software Home Page
Click here for Flicks Software Product List

This tutorial explains Authentication: What it is, how you work with it, and what options are currently available to you.

Then each choice is described in more detail to help you decide which is the best way for you.

What is Authentication?

Let's assume you want to restrict access to selected portions of your website. For example, you might have valuable information, such as real-time stock quotes (like Reuters or Datastream), or you want to charge a monthly fee in order to access your database.
In these cases, you want to let people in, but only after checking that visitors have used an authorized username and password. Additionally, you might want to provide access to the bulk of your website for the simple price of a visitor's email address, creating an effective method for tracking visitors.

Asking a visitor for their username and password (or their credentials) is called Authentication. On the world wide web, the oldest and most widely supported authentication method is Basic Authentication.

What are my choices?

Assuming you have the latest and greatest IIS, you have several choices when working with authentication including:
  • IIS NT Challenge Response
    • A good choice if if you are on a Windows Network, you can require the use of IE, and there's no proxy-server between the browser and the server.
  • ASP.NET Authentication
    • Another good option, with the some of the same set backs as NT Challenge Response.
    • You cannot protect non-asp pages, without a significant performance hit.
    • Supports forms based authentication, passport authentication, and Windows authentication, but not basic authentication.
    • A single web.config file contains the information related to the level and type of authentication service.
  • IIS Basic Authentication
    • Can expose your NT usernames and passwords unless all connections are over SSL.
  • A Basic Authentication filter such as AuthentiX
    • Cannot compromise NT accounts. High performance, large numbers of users. Can validate against ODBC or internal database. Many advanced features.
  • Write your own filter
    • Flexible, but resource intensive to build.
  • Digest Authentication
    • Similar to NTLM (using a challenge response protocol - although it does not provide for mutual authentication), this authentication method may weaken password storage security significantly.
  • Cookie Based Authentication with ASP pages
    • Only protects ASP pages. Can be slow. Requires cookies. Cookie-based systems can be susceptible to spoofing.
  • Self-Authenticating ISAPI dlls, CGI-scripts using Basic Authentication.
    • Good performance, all content generated though a single URL. Doesn't use conventional directory/file/html format.
  • Certificate based.
    • Secure, but intimidating for webmasters and surfers alike. Requires SSL.

Which should I use?     Next Page ===>

By Kevin Flick, Flicks Software

I would like to express my thanks for the feedback on the final proofs of this article to:
Steve Smith of AspAlliance.com
Mike Riley of rileycommunications,
Michael Howard of Microsoft, and
Charles Carrol of thebestweb.com.
Any errors or ommissions however are entirely my own.
Kevin Flick

Copyright © 1998-2019 Kevin Flick
All rights reserved.
This document may not be reproduced or distributed in whole or in part without prior written permission from the author.