0

There is a winform client that connects to server and gets authenticated by providing username and password.

The user first time sends his username/password to the server, after that if didn't log out there is no need to get authenticated once more (like Github client or Windows Live Mail)

So I want to know:

  • what server should return back if username/password is valid, a true/false value or something else?
  • at the next run, how can I check if user authenticated last time and is logged on? which values should I check exactly? considering not allowing data tampering
  • If I save hashed password in app settings, how can I avoid stealing it by another one?

(Is appreciating avoided here in stackoverflow? ;) )

Blazi
  • 991
  • 3
  • 9
  • 19

2 Answers2

1

It all depends on how valuable the resource you are trying to protect is; also on who has access to the local computer etc.

  1. Simply cache the username/password in your application. The first time the user enters a username/password save it somewhere in the registry. Next time you app is started read from the registry and supply the values to the server.

  2. This is obviously a security risk in that someone can read the username/password from the registry, so encrypt the username/password before saving them to the registry using something like encrypt-decrypt-string-in-net.

  3. The next catch is that you may have to hardcode the decryption key in your app. Which means anyone who has access to your app's binary can work out the algorithm/key you are using and the use that knowledge to decrypt the keys stored in the registry. But by this time, most trivial attempts will have been dissuaded. You could try using the CryptProtectData function instead, so you don't have to hardcode the encryption keys in your app, but it's more complex.

Community
  • 1
  • 1
Grynn
  • 1,254
  • 11
  • 18
  • thanks @Grynn. So I save it somewhere like registry and I encrypt it. Now if someone tampered the username/password and entered a random username/password, how can I see it is valid? without requesting from server – Blazi Dec 25 '12 at 16:40
  • Oh, you'd still need to end the request to the server, but the user does not have to enter anything again ... so it's seamless. Another thing people do, is check once every 7 days, so if I validate a user/pass combo once, I only bother validating it again after 7 days. – Grynn Dec 25 '12 at 17:19
  • The server's interface would be something like: "https ://server/auth", you'd send a POST with the username/password and the server would respond with "OK" or "FAIL" (or perhaps JSON like { result: OK, days-since-last: 3 }...) – Grynn Dec 25 '12 at 17:23
0

If you don't want to keep the username/password cached in the application, you can use HMAC authentication instead. You authenticate the user during the first call using the username/password, but a session key is returned as response if the authentication was successfull. You can use that session key to authenticate the rest of the calls, as it is illustrated here,

http://weblogs.asp.net/cibrax/archive/2012/12/05/using-mac-authentication-for-simple-web-api-s-consumption.aspx

Regards, Pablo.

Pablo Cibraro
  • 3,769
  • 3
  • 25
  • 17