Creating a Login Overlay
page 6 of 6
by Scott Mitchell
Feedback
Average Rating: 
Views (Total / Last 10 Days): 44626/ 251

Security and Other Concerns

Bear in mind that except for requests over HTTPS, any request from the browser to the server is transmitted over the network in plain-text. For this reason, many websites have the login page accessed via HTTPS, as in https://www.example.com/login.aspx. This approach ensures that the user's credentials are securely transmitted and kept from prying eyes. With the login overlay user interface, user credentials are sent to the server-side service in plain-text unless the user is visiting the current page over HTTPS.

You can optionally configure the server-side AuthenticationService service to only accept requests over SSL. To accomplish this, go to Web.config and set the system.web.extensions\scripting\webServices\authenticationService element's requireSSL attribute to true. If requireSSL is set to true and a non-secure request is made to the server-side AuthenticationService service then the service throws an HttpException. If you go this route also consider setting the system.web\authentication\forms element's requireSSL attribute to true as well, which instructs the browser to submit the authentication ticket to the server only when making a request over HTTPS.

In closing, realize that for many sites the login overlay is not intended to be an outright replacement for the dedicated login page. If you have pages that are only available to authenticated users then you will still need a dedicated login page for those scenarios where an anonymous user attempts to directly visit a page intended only for authenticated users.

Download

[Download Sample]

Further Reading

For more information on the topics addressed in this article, consult the following resources:

·         Accessing Server-Side Data from Client Script

·         ASP.NET Security Tutorials

·         The Client-Side Sys.Services.AuthenticationService class

·         Introduction to Membership

·         The Server-Side AuthenticationService class

·         Using Forms Authentication in ASP.NET

 


View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2014 ASPAlliance.com  |  Page Processed at 11/28/2014 3:22:15 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search