Results 1 to 2 of 2

Thread: ASP.NET Calls to Secure Web Service - Ideas?

  1. Dec 16th, 2004, 08:48 AM #1
    VB-Mike
    VB-Mike is offline

    Thread Starter
    Lively Member
    Join Date
    Feb 2000
    Location
    Dayton, OH USA
    Posts
    119

    Question ASP.NET Calls to Secure Web Service - Ideas?

    I have an ASP.NET web application that makes secure calls (BASIC auth) to a .NET web service using credentials supplied via a login form. The problem I have is, how can I keep the user credentials or a reference to the initial web service call so that I do not have to keep passing credentials for each subsequent call? These calls can come from numerous ASP.NET pages after the initial login.

    Initially, I setup a Public variable in a module to the web service that was available during the entire user session. I do not think this would work since the variable would get overwritten if another user accessed the form. Since the credentials were already set at login, I no longer had to keep passing credentials for further calls and the reference was available globally. This worked wonderfully, but I do not think a Public var was the correct way to address this. This also made it nice since I did not have to store the credentials.

    The only other way I could think to do this is to store the username and password either in a session variable or cookie. Obviously this is NOT a good idea. However, if I did this then I could pull back those users credentials and pass them for every call.

    Any ideas would be greatly welcomed!!
    Reply With Quote Reply With Quote
  2. Dec 16th, 2004, 09:48 AM #2
    rdove
    rdove is offline
    Addicted Member rdove's Avatar
    Join Date
    Dec 2002
    Location
    Indianapolis
    Posts
    251

    Re: ASP.NET Calls to Secure Web Service - Ideas?

    A sesson variable or cookie is the only way you are going to be able to accomplish this, but you do have some control on to what goes into those variables. When the user logs in, you could store the values in encrypted form. You would have to come up with some type of custom hash values. In your web service you could have a function to decrypts the hash value you send it and the compare. This is a little more secure than just storing them in plain text. I did something similar on another project.

    I did something like:

    a = 01a
    b= 87w
    c = q7f
    etc...

    And I stored the string like 01a-87w-q7f, which would translate to abc. The - delimiter helped me have a split value to ensure I got the correct character on the other side

    The downside to this is if someone figured out your hash, you would be kinda screwed. But this is just a simple suggestion for your problem.
    ~Ryan





    Have I helped you? Please Rate my posts.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width