Fog Creek Software
Discussion Board




Welcome! and rules

Joel on Software

Newbie question on ASP.NET Forms Authentication

Hi all,

Before endeavoring to understand the ins and outs of Forms Authentication, I have a quick question.

I read the post here about the "Massive Vulnerability" ( http://discuss.joelonsoftware.com/default.asp?pg=pgDiscussThread&ixDiscussTopicParent=10446&ixDiscussGroup=3&cReplies= ), and I was wondering whether the ASP.NET forms authentication mechanism is really heavy duty enough to be relied upon if used carefully.

So, do people actually use it in the real world?  If not, what do they use instead?

Thanks in advance.

Charles Reich
Thursday, April 21, 2005

Yep - people definitley use it, and with great success.

Security is just too hard to roll your own solution. Your chances of getting it right are slim to none.

Use froms authentication, use the latest OS,  install the latest service packs (for everything), and pray hard - daily. ;)

Jeff Mastry
Friday, April 22, 2005

There is a trivial patch to the problem which MS posted the same day as the bug was reported.

http://support.microsoft.com/?kbid=887459

While googling for that link I discovered that there's a newer (March 16), presumably more server-wide solution discussed here:

http://www.microsoft.com/technet/security/Bulletin/MS05-004.mspx

Don
Friday, April 22, 2005

Thanks for the replies.  I wanted to be doubly sure that it was reliable.

I found a PDF on the msdn website that was 600 pages long which describes "Building Secure ASP.NET Applications."

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

It seems like learning anything in .NET involves plowing through a 600 page tome.

Charles Reich
Saturday, April 23, 2005

I want to invoke the BASIC Authentication when I click on a button, is it possible.

Ujjwal
Wednesday, May 04, 2005

*  Recent Topics

*  Fog Creek Home