0

I have an Asp.Net web application which uses Asp.Net Membership to login. Now I am building a desktop-application and I want the users to login in the desktop application securely using their website account.

I started with a WCF service on the web, the username, password hashed with SHA256, but now I don't know how to check if the password is correct. Asp.Net Membership also use a salt to the store the passwords. How can I do this?

Improve this question
2
  • And you're using ASP.NET membership provider as back end for service ? Commented Nov 11, 2013 at 14:36
  • Oauth might be useful. Commented Nov 13, 2013 at 2:02

1 Answer 1

Reset to default
1

I would create a WCF service inside the ASP.NET webapp, which accepts cleartext username and password, and of course use transport-level encryption. In this service, I would call the MembershipProvider's ValidateUser() method.

Or you could implement a more secure authentication mechanism, but in that case, you should use your own MembershipProvider, because the default provider only accepts a cleartext password, and whatever it does with that is a secret, kind of.

The trick is that if you put your WCF service inside your webapp, then it will behave just like your browser clients. If you're using HTTPS for browser clients, then use the same HTTPS channel for WCF, and you're fine.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I think I will use the first method, although I don't know to much about transport-level encryption. Thank you!
If you use passwords, you should already be using the HTTPS protocol, which provides transport-level encryption. It's not the easiest thing to setup WCF to use HTTPS, but there are many guides for that and it should work just fine.
I use passwords, but I am not using HTTPS.
Well then, you should :). But of course, you can do it all on HTTP, too, it will work.
I can't use, because the host can't. The problem is it need to be secured, so with HTTP the password and username will be plain text (not OK).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.