Fog Creek Software
Discussion Board

Welcome! and rules

Joel on Software

How to store logon information


I am new to ASP.NET.  Can someone explain to me what is the most proper, security in mind, way to store user logon information, once the user has properly authenticated against the database, until user has terminate his or her session.

I see site like Ebay, when you logon to your account, Ebay does not ask your logon again and again when you access restricted pages such as putting bid an item or give feedback to a member.  It seems like Ebay stores logon until the session end.

I know many people do this with cookies.  I wonder cookie is best method when you consider security?

If anyone knows a reference to this topic, please post it.


Tuesday, November 30, 2004

Enjoy. It's basically a trade-off amoung security, code maintenance, scalability, accessibility, and performance. 

At work, we use a standard login/password (password encrypted in a database), session state to ensure the user has logged in, encrypt important information (like credit cards), and use SSL. Never did get a hang of the "forms" security setting, and "windows" is useful in an intranet setting, but not so much with outside clients.

Make sure you use parameterized queries when accessing the database, and make sure you use least privledged accounts when moving from one environment to another. And .NET comes with System.Security.Cryptography - very handy.

Tuesday, November 30, 2004

*  Recent Topics

*  Fog Creek Home