All geek questions in one place

Authenticate ASP forms with WCF?

I had never used this stack before, and I just wanted to make sure that I was thinking along the correct lines.

I have a Windows authentication WCF service for transport security and a message security certificate with a single TCP endpoint. My service has authentication methods for the plaintext name and password, the username is used to extract the salt from the database, and the specified password is hashed using this salt, and then compared with the password from the database.

To authenticate users in my ASP MVC project, I simply use forms authentication and the auth cookie setting if the WCF service returns the http OK code when the username and password are passed from the action to the service.

If I implement the necessary security measures, such as blocking accounts after x the number of failed authentication requests for the service, is this sufficient protection to block my application?

This project is open.

+4
source share
3 answers

There are many factors to consider.

  • Can a domain for a WCF service be captured and DNS redirected?
  • How errors are handled in the WCF service. Perhaps the status OK can be returned in case of an error?
  • The salts are fine, but I would recommend something like BCRYPT instead of storing and verifying the password.

  • Make sure the requireSSL flag is set to your forms as well

+2

WCF REST. BASIC SSL, . , , :

  • .
  • .
  • ? WCF ? IOS Android?

:

https://msdn.microsoft.com/en-us/library/ff406125.aspx

, , . OWASP WCF , .

https://www.owasp.org/index.php/WCF_Security_Best_Practices

+1
  • use https
  • Add CAPTCHA Code in MVC Project
  • Add time interval between attempts, limit retry time
  • don't use plain text, encode it first, even md5 will be better
  • If it's online, you better find an expert
0
source

Source: https://habr.com/ru/post/1651217/

More articles:


All Articles