Fast, Secure, and Concise Authentication -- Call for beta testers

Well, I'm announcing it finally. I've broken out the Authentication module from EFramework and I'm going commercial with it(after fixing quite a few things and extending it). If you still have a copy of the BSD licensed code, I ask you kindly to buy a commercial license. But of course, I can't force you to. I can't retroactively remove the BSD license afterall.

Anyway, I need beta testers! What is FSCAuth? Well, it's a very handy authentication module for ASP.Net. It works on Mono/.Net/Webforms/MVC/You name it. And it's easy, even after the initial "hey a user can login" phase. It's designed to be customized and works well no matter what your database is. Like GUIDs as a unique ID? Go ahead, use em'! Prefer integers instead? You can use those too!

A quick summary:

  • My nemesis is Forms Authentication. Why? Well, because I don't like writing 200 lines of code just so I can use something other than the crappy SQL Server Compact database. Or heaven forbid you want your database to be halfway clean without 50 stored procedures(which do nothing) littered in it.
  • My target audience is small and medium size web applications.
  • I find it a breeze to work with. This blog uses it(in a hidden form)

If you are interested in beta testing, please send me an email at earlz at this domain name(lastyearswishes.com). Beta testers that give me feedback will get a non-expiring single-site license when the project is released. The few that give me outstanding feedback will receive a non-expiring multi-site license. In your email please include "fscauth beta testing", a little about yourself, and how you will beta test it(for instance, are you going to put it in your own blog? etc)

Demo Application

Also, if you'd like to see a small demo application you can look at fscauth-demo. It uses an in memory list of users and is limited to 100 users. But you can see the hashes for everyone's account and try hacking stuff.

Below is some more information about it. NOTE: Some of this is not yet implemented(MongoDB and SQL Server UserStores particularly). This is a projection! Some of these features may change or be removed completely.

What is this?

This is a very easy to use authentication module for use in ASP.Net. It's been designed from the beginning to be flexible, but requiring as little setup as possible. It can be used for any database/data store imaginable. I provide as an example 3 different datastores implementations

  1. SQL Server
  2. MongoDB
  3. Generic in-memory list

Why use it?

Well, I created this because I thought ASP.Net Forms Authentication required too much work for simple systems. I wanted something easier, but also more secure out of the box.

Easier?

For setup you only have to populate 2 fields, and call an Authenticate method from Global.asax. After that, you're ready to show off awesome code like this:

//Some secret stuff you don't want to show to people
Authenticate.RequiresInGroup("secret");

or even

if(Authenticate.LoggedIn){
  //show something only logged in people see
}

Security?

Right from the beginning Fast, Secure, and Concise Authentication was designed to be fool proof for security. It was designed to be secure enough that even if a dump of the database behind it got leaked, your user's credentials would be safe, and hackers would still not be capable of logging in. By default, all passwords are SHA256 hashed and salted. All login cookies are impossible(or almost) to forge.

Don't take my word for it though; check out the source code. With every license but Personal No Commercial, full source code is included. The source code is not overly complex and at the core is only a few hundred lines including comments. If you look at it and think I did a horrible job, then return it. Binpress offers a 14 day money back guarantee.

Speed?

Of course, authentication is a core part of a website, so it needs to be fairly fast. Speed was actually the lowest priority of the project, but actually, it's still very fast. The only operation requiring more than one database access is adding a user, and that is only for ease of implementation. On each authentication, there is a total of two hashes computed. With SHA256 this equates to microseconds. This will not be the component that slows your website down.

Also, there is no need for a persistence of session state. So no extra memory used on your servers, nor messy tables in your database. This is what I like to call a "stateless" authentication system.

What's Capable?

Notably, this project does not try to implement everything that is in Forms Authentication. If you require Windows Authentication, or complex Member/Role/Task/Group support, then maybe you should stick with Forms. This is designed rather for the 90% of websites out there that just need a simple user login system with maybe a few groups, and don't want to mess around with writing 200 lines of code to do it.

What's included?

  1. The main authentication module(source code and assembly)
  2. SQL Server example UserStore implementation
  3. MongoDB example UserStore implementation
  4. Generic in-memory list UserStore implementation
  5. ASP.Net Login custom control
  6. ASP.Net UserStatus custom control
  7. ASP.Net Logout custom control
  8. ASP.Net example web application
  9. Offline copy of documentation

Batteries are not included

What Platforms

  • Mono 2.0 and greater
  • .Net 2.0 and greater (below 3.5 must degrade to the slower Managed SHA256 implementation)
  • Designed to run from any database
  • Runs within Medium Trust
  • Works equally well for both Webforms and ASP.Net MVC
  • Runs without modifications in a web cluster
Posted: 4/10/2011 4:55:04 AM