web service login

[DanInManchester]

I have a number of web services that I use to allow me to easily build microsites from my main site containing the same information as on the main site and these are public with no real security on them.

What I want to do next is allow certain users to pull more sensitive information.

I was wondering how I manage security within the service.

Should I expect the user to post credentials with each request and validate those every time or is there a mechanism to add a ticket like I would with forms authentication?

And assuming I'm not using SSL or anything at the network layer what's the best way to encrypt webservice messages.

There is a whole bunch of stuff on MSDN patterns and practices but there is too much to sift through so some general guidance would be apreciated.

[mendhak]

I would suggest you do use SSL for this and not try to avoid it.

Additionally, do a search for "XML Encryption" and "XML Signatures"

[DanInManchester]

I've done validation using an MD5 hash which works pretty well.

Also having read further I can still use the forms based cookie for the authentication but I have to capture this within my remote application and persist it manaually as there is no cookie managment like in a web browser.

although I'm not too sure how accessible this is to non .net developers.

[mendhak]

That is correct and it won't be a problem to developers because a form based cookie is still a cookie.

[mendhak]

Just to throw in another idea for you, but consider using tokens. An authorized person can have an identifier id (a random string of some sort or maybe a GUID) which he passes to an authentication web service which returns a token to him. He then passes the token along in each subsequent secure web service call which your web service verifies and knows is valid, because the token was just generated and is in a database for a while longer. You can make the token expire after 30 minutes too.

[DanInManchester]

I did consider this but the implementation wasnt as straight forward.

I already have the user manager with forms based authentication for the UI.