Dino Chiesa [MSFT]
8/12/2003 6:30:00 PM
> what i want to do is creating a central web
> service to authenticate user logon.
> Is it possible?
yes, why not?
It seems you have something like this:
browsers (B) connect to web servers (W1) to request pages.
Apps running on the Web servers then need to authenticate the users (from
the browser).
The web apps can use "anything" as the backend authentication service. One
common way is for the
webapp to do a database query, and find a record for the given userid and
password hash. But you could
just as easily use a webservice to verify the authentication information.
A web service is fine.
As for security issues: yes, you need to be careful and thoughtful.
What information are you passing from the browser to the web app? is it a
bonafide password, or a hash, or ... what? Are you using encrypted
communications between the browser and web app?
Same issues with the communications from the web app to the authentication
service.
how long will the authenticated sessions last? how will you do timeouts?
and so on...
Sorry, there are no simple answers to these things.
-Dino
"xiaobin sun" <sunxb@feinfo.com> wrote in message
news:042d01c35c62$0e4af650$a401280a@phx.gbl...
> I have several web applications running on different web
> servers. what i want to do is creating a central web
> service to authenticate user logon. I.e. every
> application will connect web service to determine whether
> a user is authenticated or not? Is it possible? are there
> any security problem?