The authentication tag has no wiki summary.
1
vote
0answers
32 views
Design pattern for sharing Social Authentication across subdomains?
Right now building an app that authenticates using either email or different social accounts. Because it is going to function on multiple subdomains and domains, I'm wondering if there's a design ...
6
votes
6answers
463 views
Will Authentication over HTTPS Slow My Application?
I am building a web application and RESTful web service.
I have been reading various articles about the best way to authenticate the requests to the web service.
The best option for me seems to be ...
3
votes
2answers
200 views
What .NET objects should I use to create a cookie based session in MVC?
I'm writing a custom password reset application that uses a validation technique that doesn't fit cleanly with ASP.NET Membership Provider's challenge questions.
Namely I need to invoke a workflow ...
1
vote
2answers
114 views
Simplest token-system for authenticating and authorizating
I want to make Python script that will accept input from Vim and send it to my web-site. So basically I want to make Vim my text-editor for blog articles.
Of course, I need to authenticate and ...
2
votes
1answer
106 views
Should I manage authentication on my own if the alternative is very low in usability and I am already managing roles?
As a small in-house dev department, we only have experience with developing applications for our intranet. We use the existing Active Directory for user account management. It contains the accounts of ...
4
votes
2answers
114 views
Standard -server to server- and -browser to server- authentication method
I have server with some resources; until now all these resources were requested through a browser by a human user, and the authentication was made with an username/password method, that generates a ...
1
vote
2answers
557 views
Sharing authentication methods across API and web app
I'm wanting to share an authentication implementation across a web application, and web API. The web application will be ASP.NET (mostly MVC 4), the API will be mostly ASP.NET WEB API, though I ...
5
votes
3answers
274 views
What is the best policy for allowing clients to change email?
We are developing a web application with a fairly standard registration process which requires a client/user to verify their email address before they are allowed to use the site. The site also ...
4
votes
1answer
466 views
Authentication for users on a Single Page App?
I have developed a single page app prototype that is using Backbone on the front end and going to consume from a thin RESTful API on the server for it's data.
Coming from heavy server side ...
11
votes
2answers
1k views
How should an API use http basic authentication
When an API requires that a client authenticates to it, i've seen two different scenarios used and I am wondering which case I should use for my situation.
Example 1. An API is offered by a company ...
5
votes
1answer
396 views
API Auth vs User Auth
I have read many posts and articles on this topic but still cant connect the dots. I want to make a Rails app that is strictly a JSON API maybe using Sinatra or the rails-api gem. I also want to make ...
3
votes
2answers
223 views
What's the benefit of Azure ACS if ASP.NET 4.5 includes OAuth and OpenID providers?
Azure ACS offers OAuth and OpenID providers, and now that ASP.NET 4.5 offers the same thing, without the added cost, is there any reason for a .NET developer to consider ACS?
(Disclaimer, I don't ...
2
votes
0answers
56 views
How do you get the usernames/passwords onto a STUN or TURN server for long-term credential authentication?
The STUN and TURN specifications allow for client authentication using usernames and passwords, and call this authentication via long-term credentials. In fact, TURN requires that clients authenticate ...
4
votes
1answer
253 views
Java solution for mutual authentication with smart card
I need to develop a Java solution for mutual authentication between Tomcat 6 (server) and SmartCard "IDGo 300" (client).
In order to do this I thought of the following scheme:
1.Tomcat (server) send ...
1
vote
4answers
163 views
Is restricting sessions to an absolute IP likely to have a wide impact on mobile networks?
Our website currently restricts a cookie-based session to the IP address that was originally sent the Set-Cookie HTTP header. In the past a user's IP would rarely change, so this didn't present much ...
2
votes
2answers
1k views
What is the correct way to implement Auth/ACL in MVC?
I am looking into making a correctly laid out MVC Auth/ACL system. I think I want the authentication of a user (and the session handling) to be separate from the ACL system. (I don't know why but this ...
2
votes
1answer
710 views
How to host a site in another site - with little or no coding
SUMMARY: All of these happens on Site A
User visits site A
User enter username and password
User click on Login Button
User authenticated on Site B behind the scene
User is shown a page on Site A ...
0
votes
3answers
157 views
Lightweight external authentication - looking for an OpenID alternative
We have a "backend" area for performing maintenance/debugging tasks on most of our developed websites and (obviously) this area requires authentication.
Most of these websites have their own ...
2
votes
1answer
540 views
HTTP PHP Authentication and Android
I am working on a website for which I hope to have an application for as well. Because of this, I am creating PHP API's which will go into my Database and serve specific data based on the ...
0
votes
1answer
128 views
JAAS - What is the required control flag used for?
The Java Authentication and Authorization Service (JAAS) defines that if a login module has the flag "REQUIRED", the authentication should proceed down the login module list on success or failure, and ...
3
votes
4answers
3k views
REST Service Authentication/Authorization
I have a WCF rest service that will be consumed by multiple clients. The information returned by the client requires me to know who they are, so that I can return information specific to them.
Is ...
1
vote
1answer
319 views
What is the future for ASP.NET Membership Providers? [closed]
While working on a new project with MVC3, a DI framework (Ninject), and unit tests (NUnit) paired with mocks (Moq), I found setting up the Membership Provider felt a bit "awkward". I've run into tasks ...
2
votes
4answers
236 views
How to implement a no-login authentication system
I am looking to build a very loose authentication system that can track a user and link submitted data/comments to a specific user. The submissions are essentially anonymous, but a user may want to ...
2
votes
1answer
337 views
Security in a private web service
I am developing a web site and a web service for a small on-line game. Technically, I'll be using Express (node.js) and MongoDB+Redis for the databases. This the structure I came up with:
One ...
3
votes
1answer
94 views
How safe is it to cache a user ticket in SESSION
I'm working on a client library to interface with my company's api, and we generate a user ticket when the user logs in using the api.
Obviously I don't want to send the user ticket to the client ...
2
votes
3answers
93 views
Authentication for 'participants' vs 'users'
I'm building a site that lets users schedule interviews/conferences with third parties and I'm wondering what's the best way to provide security around the participant experience while providing the ...
1
vote
1answer
162 views
How can I efficiently approach cookie-based session handling?
Currently our web application uses server-sided sessions. Because of the large amount of memory usage, we want to switch to cookie-based sessions. I have been thinking about several ways:
Idea 1
My ...
3
votes
3answers
619 views
Did I understand the website “autologin” feature right?
I'm developing an authentication library (*) for a website and I realized that maybe I'm not completely understanding what an "autologin" feature is, and how to develop it.
While gathering infos and ...
42
votes
7answers
7k views
Is browser fingerprinting a viable technique for identifying anonymous users?
Is browser fingerprinting a sufficient method for uniquely identifying anonymous users? What if you incorporate biometric data like mouse gestures or typing patterns?
The other day I ran into the ...
5
votes
1answer
89 views
Is there a proven concept to website reverse certificate authentication?
We're looking at exposing some of our internal application data externally via a website. The actual details of the website aren't that interesting, it'll be built using ASP.NET/IIS etc, that might be ...
1
vote
2answers
448 views
Sharing Authentication Across Subdomains using cookies
I know that in general cookies themselves are not considered robust enough to store authentication information.
What I am wondering is if there is an existing design pattern or framework for sharing ...
-3
votes
1answer
495 views
Devise and Warden
I've been using Devise for a little while, and I've realized it's built on something else called Warden that handles authentication. What does Devise offer me outside of Warden, because I was ...
4
votes
2answers
338 views
Two factor authentication using time base key generator on smartphones
I recently enabled two factor authentication for my Google account. One of the ways of getting the second factor (the key that I have) is to install an Android app on my phone that displays a key for ...
3
votes
2answers
174 views
Using Paypal (or similar) to log into my site?
I have a web site and I want to offer a few levels of service - one free, one for a one-off payment, and one for a subscription. My first inclination is to use Paypal for the payment options. I ...
10
votes
4answers
565 views
Am I Over-Engineering If I Consider User's Intentional Wrongdoing?
Is it over-engineering if I add protection against a user's intentional wrongdoing (to put it mildly), if the harm the user can incur is not related to my code?
To clarify, I'm exposing a simple JSON ...
3
votes
2answers
209 views
Implementing Lazy Registration
I'm interested in setting up Lazy Registration on my website.
Ideally, I'd like people to be able to fill out a record that might include their name, email, address, etc. and then record it to a user ...
0
votes
1answer
145 views
Looking for an up-to-date PHP Auth script to manage users
I have a client that has a rather generic, but established, website up and running. He now wants to add a simple UserAuth mechanism by which users can register (name,email) and access "member pages". ...
5
votes
2answers
1k views
Designing authentication for REST API
I'm working up an API for a REST service that I'm going to both be producing and consuming. I've spent the past few days trying to figure out how to handle authentication nicely, and think I've ...
7
votes
5answers
3k views
Best practices for web application Authentication/Security (Any Platform)
I got a question today from my manager asking me my thoughts on what is considered an acceptable design for authentication of a web form application, especially in regards to the nature of many ...
4
votes
2answers
397 views
How to solve a general authentication problem for multiple applications?
At my current job (we're in a MS environment), we have multiple deployed web applications, both inter/intra net. The internal apps generally use an Active Diretory sign in, the forward facing sites ...
