Thursday, December 25, 2008

Silverlight authentication

Illustration: security If you need to access server resources from Silverlight (e.g uploading statistics, reading data from database), the easiest solution is to invoke an XML Web Service. I've seen many examples of Silverlight authentication for Web Services. Many of them are illustrated and well-written. The main problem is the security: they create the illusion of security. So if you want to create a secure authentication method, you can use the following solution to achieve a good level of security.

Log in user (either using ASP.NET or using Silverlight through an XML  Web Service).

  1: public bool Authenticate(string Username, string Password)
  2: {
  3:     if (FormsAuthentication.Authenticate(Username, Password))
  4:     {
  5:         FormsAuthentication.SetAuthCookie(Username, false);
  6:         return true;
  7:     }
  8:     return false;
  9: }

Now you can check if the user is authenticated.

  1: if (HttpContext.Current.User.Identity.IsAuthenticated)  
  2: {  
  3:     DoWork();
  4:     return true;  
  5: }  
  6: else  
  7: {  
  8:     DoNothingUserNotAuthenticated();
  9:     return false;  
 10: }  

Now there are two main security threats:

  • Login is insecure
  • HttpContext function is insecure

Login is insecure

You have to implement login functionality securely to make you application secure. So use SSL to prevent eavesdropping  and tempering login data.

HttpContext is insecure

ASP.NET Forms authentication uses cookies to identify users (by default). You have to encrypt the authentication ticket using the server key and decrypt that whenever you read that. Don't persist the cookie if you don't have to.

Security

The solution above can be secure. You can log on to the site. A security ticket is created with the user credentials, encrypted and stored on the user's machine. This cookie is accessible whenever user have to prove his identity, so you can access it even in an XML Web Service or through HttpContext.

Direct authentication pattern (I think) is not a solution for Silverlight Web Services, because password goes as plain text to the service every time it is invoked, or severe performance degradation occurs.