Replacing ASP.NET Forms Authentication
UPDATE: This blog post was briefly unavailable, we've published an update on why it was taken down.
Several months ago, we wrote a blog post about why we think ASP.NET forms authentication is broken. The post describes how the cookie encryption in ASP.NET tends to change with Windows updates and patches, the problems it causes for a platform like AppHarbor, and the steps we take to mitigate those problems.
In the comments, we promised to share our solution to fix the breakage in ASP.NET forms authentication and that solution is to replace it with our own authentication implementation entirely. This gives you complete control over how the session cookies are created, so that there's no way they'll be affected by changes to the .NET Framework or other pieces of the infrastructure.
We have chosen to share this by open sourcing an authentication class library and a bare-bones ASP.NET MVC application with a fairly complete authentication implementation. It's available on GitHub; go take a look now.
What's included
- There are three projects, the sample, the
AppHarbor.Web.Securityclass library and a KeyGenerator - Password hashing is done using Blowfish-based BCrypt. BCrypt is nice because it's an adaptive hash function that can be made slower to compensate for attackers getting access to progressively faster hardware used to brute-force any salted and hashed passwords they've gotten access to.
- Just like ASP.NET forms authentication, encrypted cookies are used to track sessions. Cookies are encrypted using the fast symmetric Rijndael algorithm
- The Web project comes with a UserController to create new users, and a SessionController to sign existing users in and out
Check out the README has details on how to integrate the authentication implementation in your own project. You can also refer to the sample for inspiration.
Once this solution has been available for public scrutiny for a while and we're confident that it is sound, we will package the authentication library up as a NuGet package to ease installation.
Let us know how this works out for you in the comments, and feel free to get in touch if you encounter any problems.
Image credit: Brocken Inaglory
