Securing ASP.Net Web Services with Forms Authentication

Securing ASP.Net Web Services with Forms Authentication

by Andrew Freemantle • April 30, 2010 • 3 Comments

First time here? you may want to subscribe to my RSS feed.
Thanks for visiting. Andrew :o)
My first article for Dot Net Slackers on Securing ASP.Net Web Services with Forms Authentication is up!

Have a read and let me know what you think – any feedback about the content, the writing style, the amount of code, or anything else (!) is greatly appreciated

Tags: ASP.Net, Security, Web Services

About Andrew Freemantle
3 Responses to Securing ASP.Net Web Services with Forms Authentication
1. Lawrence Zhang
  
  May 17, 2010 at 3:19 am
  
  Hi Mr. Andrew,
  Thank you very much for your article of Securing ASP.NET Web Service…,
  One thing I’d like to ask you, why I have to set MembershipProvider:passwordFormat=Clear before I create a user account, then I create a user account, the password stored in plain text, so
  I can pass the username and password from a test website to Web Service,just
  like your demonstration. If I create a account using passwordFormat=Encrypted or Hashed, the username and password can’t pass from a test website webform input even hard coded to the web Service,how to solve it ? Tnanks.
  
  Kind Regards
  Lawrence Zhang
2. Andrew Freemantle
  
  May 17, 2010 at 6:00 am
  
  @Lawrence – Thank you! You’re welcome
  
  Though the article doesn’t cover this specifically, storing the passwords either encrypted or hashed is the right thing to do, and the MembershipProvider.PasswordFormat dictates how the passwords are stored in the database.
  
  So, if you’re using MembershipProvider.PasswordFormat = Encrypted you’ll need to either encrypt the password supplied to the Web Service, or decrypt the password from the Membership Provider. There are methods on the MembershipProvider class to do this:
  
  MembershipProvider.EncryptPassword() and MembershipProvider.DecryptPassword() – Note that if you’re using the Encrypted format, then you’ll need to supply the encryption key information in the machineKey element of your .config (more info here)
  
  However, if you’re MembershipProvider.PasswordFormat = Hashed then you can’t decrypt the stored password, so you’re only left with encrypting the password supplied and then comparing the 2 hashes.
  
  This documentation might be useful
  
  And here’s an example of the machineKey element (for Encrypted password storage)
  
  Let us know know how you get on!
3. Lawrence Zhang
  
  May 17, 2010 at 11:14 am
  
  Hi, Mr. Andrew,
  I’ve found the answer that I asked you a little earlier this morning, because I forgot to put the same machineKey tag in two web.config between web service and my website, and before even not have a machineKey tag in web.config when I sent passwordFormat=Encrypted,thank you for your article again.
  
  Kind Regards
  Lawrence Zhang
Leave a Reply Cancel reply

Your email address will not be published.

Your name *

Your email *

Your website

Spam protection: Sum of 2 + 5 ? *
Search for:
Subscribe

RSS Feed Email

Topics
.net, ASP.Net, ASP.Net-MVC, C#, Cheesecake, Comments, Criticism, Development, Encouragement, Estimating, Feedback, Gravatar, Linq, Linux, MyLetts, Oracle XE, Productivity, Razor, Recipes, Security, SquishIt, SSD, StackOverflow.com, SubVersion, Synology, Unit Testing, Visual Studio, Web Services, WTV,
Links
- MyLetts – Online Accounts for Landlords
Open Source
- Gravatar HtmlHelper for ASP.Net MVC
- WTV – Automatic date version numbers for .Net
Stack Overflow
Latest Tweets
ASP.Net Hosting

I use and recommend Soft Sys Hosting
for Microsoft .Net 3.5 and .Net 4.0

Linux Hosting

I use and recommend Web Host UK
for LAMP stacks (Linux, Apache, MySQL, PHP)