Because of lack of demand for my beta testing of FSCAuth I've decided that I probably need to go a different approach. No one wants to blindly trust an authentication library, so I'm going to dual license it under GPL and commercial. This way everyone can see the source code and know that it's trust worthy, but also can pay for a (pretty cheap) commercial license to prevent people from having to open source their entire project.

I'll have source code uploaded in the next few days with the GPL license attached, so be on the look out for it.

I uploaded the doxygen documentation for FSCAuth 1.1-beta and now I'm saying I'm open for beta testing. The new documentation is here.

If you are interested in beta testing a new and intuitive authentication library for ASP.Net, please fill out this form detailing your beta request. The beta will end sometime in September 2011 (updated). All beta assemblies will work until December 1st, 2011. If you do get selected to beta test, then there are benefits in it for you! All beta testers that give me back feedback will receive a free 2 server license of the released version of FSCAuth. Note that all paid licenses include source code.

For more information about FSCAuth, please see these links:

• The FSCAuth 1.1 Introduction
• The FSCAuth 1.1 FAQ
• The FSCAuth tag

FAQ

Q: I have to use a legacy database.Can I still take advantage of FSCAuth?

A: YES! FSCAuth was designed to work just as well with a database not explicitly designed for it. The only constraint is that there must be a UniqueID that will fit into a string for each user. Because you have control over each field in UserData you can also override things and make it so that FSCAuth will work across a plain text database. However, I don't recommend it and instead recommend you just reset all of your passwords and add a Salt column to your database if one doesn't exist yet.

Q: What if a user needs to recover their password?

A: The only way to recover a password is to store it in plain text or encrypted. As such, this is not supported for this library. I recommend instead generating a random password and sending this to the user instead so that they can reset their password to what they wish.

Q: How do I change the Hashing Algorithm? Why do I need a delegate?

A: To give you full control over how hashes are created and to accomodate "tracked" salts as used in BCrypt, you must create a new function and assign it to HasherInvoker. This is the default hasher:

        static HashWithSalt DefaultHasher(string plain, string salt)

    {
        var v=new HashWithSalt();
        if(salt==null){
            v.Salt=HashHelper.GetSalt(SaltLength);
        }else{
            v.Salt=salt;
        }
        HashAlgorithm hash;
        if(SupportsUnmanagedCrypto){
            hash=new SHA256CryptoServiceProvider();
        }else{
            hash=new SHA256Managed();
        }
        v.Text=HashHelper.FromBytes(hash.ComputeHash(HashHelper.ToBytes(plain+v.Salt)));
        return v;
    }

With this, it should be simple to implement any hashing algorithm.

Q: What if I want the UniqueHash stored in my web.config?

A: Don't fill in Authentication.UniqueHash in the code, and the FSCAuth library will look in your web.config under appSettings. For instance, if this is in web.config, it will use myhash as the value of UniqueHash:

<appSettings>
  <add name="FSCAuth_UniqueHash" value="myhash" />
</appSettings>

Note: This doesn't work under most Medium Trust installations, so for medium trust you must populate it in code.

Q: How do I use HTTP Basic Authentication?

A: If you only want it for one page and not every page, then in the Page_Load(or similar) just use Authentication.RequiresLogin(true);. The true option means to use Basic Auth. If no one is logged in, then at this line it will send the HTTP 401 Authentication Required erorr code.

If, however, you prefer to use HTTP Basic Auth "by-default", then use Authentication.UseBasicAuthByDefault=true;. This will make it so Authentication.RequiresLogin(); will use Basic Auth. To use cookie based authentication instead somewhere else, you can use Authentication.RequiresLogin(false);

Q: Can I have more than the fields you provide for UserData or GroupData?

A: Yes! All that must be done is descend from the class and use your new class in the UserStore. Note: Not every UserStore will require modifications to persist the extra fields, however, the provided SQL Server UserStore will require modifications to persist the extra fields.

Q: How can I protect static files?

A: Right now, it's not the easiest thing in the world. I plan to make this easier in the next release, but here is how to work around it: Assuming IIS 7 or Apache(or some other server which always calls Global.asax even for static file requests), you must match the requested path against a regular expression or similar:

protected virtual void Application_BeginRequest (Object sender, EventArgs e){
  if (Context.Request.Path.ToLower() == "/private")
  {
    Authentication.RequiresLogin();
  }
}

Q: What if I want to change my hashing algorithm or UniqueHash?

A: Currently, it's not possible without resetting every user's password. However, there is a small bit of a workaround. You can modify things so that when a user logs in, since you know their password because it solved the old hash, you can set the new hash using the password they just logged in with. FSCAuth doesn't have this functionality built in however.

Q: Can I use bcrypt as my hashing algorithm?

A: Yes! Just follow these instructions

Q: Why don't you provide more UserStores?

A: I don't plan on providing any more past Memory, SQL Server, and MongoDB. The reason is because UserStores usually have to be implemented from scratch regardless to fit with how your website is designed. I don't want to provide code that has no use.

Q: Why are people logged into my site using Basic Authentication?

A: Basically, whenever a user logs in initially through Basic Authentication, the web browser sends the user credentials on every page requested. If you have HttpRealm set, then this enables code that will check the credentials the browser sends and log in the user if it's the correct login information. It is not possible to limit some pages to only cookies and some pages to only Basic authentication within the same website. (note: if you send RequiresLogin(false) then you won't get an HTTP Basic login prompt, but if you were to force your web browser to send the Basic Authentication headers, they'd log you in)

Q: Why can't I log out a user that logged in using Basic Authentication?

A: This is by fault of the HTTP standard. Basically, there is no way for your server to send a message to the user's web browser that it should stop sending credentials. You can see this Stackoverflow question for a work around though.

Q: Can I limit how many times a user can try to login?

A: Not at the moment. I've been working on an extension which will only let users attempt to login a set amount of times with it getting exponentially slower with each failed attempt, but currently it's not ready for production use. I plan on putting it in with the next release however.

Q: Do I need to transport everything over HTTPS?

A: Short answer; Probably. Unless you are using throw away credentials that don't actually matter, then use HTTPS at least when you POST back to login. If you use HTTP Basic authentication, you NEED to use HTTPS for everything because the username and password is sent over in clear text for every single request. It's not technically required, but it's defeating all of your security if you don't use HTTPS where user credentials are sent.

Q: Where format does the UniqueHash property have to be in?

A: It doesn't matter. Just make sure it's long and no one can guess it. I personally prefer to use Random.org to generate me a random string.

Q: Can I cache items in the UserStore?

A: You must be careful about it, but you can. The only concern you should have is that if you delete a user or change their information(especially password hash and/or salt), then you must be sure to flush the cache for that user. This is extremely simple to do in a single server setup, but more care must be taken in a multi-server setup.

Q: I have an odd condition where I need to put in a user not authorized message. How do I do that?

A: Just do throw new HttpException(403, "Forbidden"); For instance, to block a certain user from a page

if(CurrentUser.Username=="Bobby Drop Tables"){
  throw new HttpException(403, "Forbidden");
}

Note: If you have a "catch-all" type error page, be sure that you set it up both as the 500(catch all), 403, and 401 error pages in the web.config, otherwise, you'll have the problem described below.

Q: What does the CustomErrorsFixer class do?

A: This class will fix a bug in some configurations of ASP.Net/mono in which instead of showing the current error page with the correct HTTP status code, instead it will do an HTTP redirect to the error page. This causes a massive amount of SEO problems including search engines indexing your login page and other pages that shouldn't be indexed. Pages which aren't anonymously accessible will be indexed in the search engine as either your login page or your 403 Forbidden page. Due to problems in medium trust, this class won't work within a medium trust environment. You should setup a robots.txt file to mitigate this problem in medium trust.

What is FSCAuth?

FSCAuth is short of Fast, Secure, and Concise Authentication. It's designed to be a flexible replacement for ASP.Net Forms Authentication. It is designed around a very minimalistic interface to your database, IUserStore.

Why use FSCAuth?

The main reason I use FSCAuth is that it saves me time and I don't have to use as much code to describe how I want it to react. I created it initially because ASP.Net Forms Authentication required too much work for a trivial login system. Everyone has basically said there are only two options for authentication, ASP.Net Forms Auth or roll your own. Well, I've rolled my own so that people have a third option now.

How does it save time?

FSCAuth is very straight forward to use. Just glancing over the Intellisense documentation is generally enough to get started. For setup only 2 fields must be populated in Global.asax and a UserStore must be implemented(which is only 4 easy functions). After that, you're ready to show off awesome code like this:

protected void Page_Load(object sender, EventArgs e){ //the load event for my secret page
  //Some secret stuff you don't want to show to people
  Authentication.RequiresInGroup("secret"); //will throw an HTTP 403 error if they are not in the group and redirect them to your 403 error page.
}

or even

protected void Page_Load(object sender, EventArgs e){
  if(Authentication.IsAuthenticated){
    AuthenticatedPanel.Visible=false;
  }else{
    AuthenticatedPanel.Visible=true;
  }
}

On top of this easy, but fine grained authorization, you also NEVER have to worry about handling cookies or HTTP Basic Auth yourself. The only thing that developers using FSCAuth have to worry about is the UserStore.

Is it secure?

Right from the beginning Fast, Secure, and Concise Authentication was designed to be fool proof for security. I never make you implement any low level details of the authentication. This makes it so that there is much less risk in extending your authentication system. It was designed to be secure enough that even if a dump of the database behind it got leaked, your user's credentials would be safe, and hackers would still not be capable of logging in. All passwords are hashed and salted. All login cookies are practically impossible to forge with today's hardware.

Don't take my word for it though; check out the source code. With every paid license full source code is included. The source code is not overly complex and at the core is only a few hundred lines including comments. If you look at it and think I did a horrible job, then return it. Binpress offers a 14 day money back guarantee.

Is it fast?

Speed is the wrong word to use for an authentication framework. I prefer efficiency. One of FSCAuth's best points is that only 1 database hit is required for everything except for creating a user. It can actually be made to not require a database hit depending on how the UserStore is implemented. FSCAuth plays nice with caching.

By default, FSCAuth uses SHA256 for hashing, which is the most common hashing algorithm for passwords right now. If you prefer a slower hashing method(for security) you can either change algorithms to any hash algorithm that implements System.Security.Cryptography.HashAlgorithm, or you can change the number of iterations the hash algorithm is used (default is 1).

Also, there is no need for a persistence of session state. So no extra memory used on your servers, nor messy tables in your database. This is a "stateless" authentication system.

What's capable?

This library is capable, of course, of adding and authenticating users. It also includes simple one-line checks for operations such as checking if a user is logged in, and checking if they are enrolled in a group. Also included in the latest release is the ability to use HTTP Basic Authentication just as simply as you'd use cookie based authentication.

Limitations

Well, I have to tell you, FSCAuth isn't perfect, but it's pretty close to the needs I've seen. Currently, FSCAuth lacks quite a few features supplied by ASP.Net Forms Authentication. Some of this is by design and some of it will be implemented in a later release. Anyway, FSCAuth doesn't implement any of the following: Emailing a user their password, a ready-made user registration wizard, controlling authorization with attributes on functions and classes, password strength requirements, Windows/Passport authentication, Role/Task/Group multilevel support (there is only groups), and probably quite a bit more. Most of the lacking features are by design. I've never seen the built-in registration wizard used on an ASP.Net site in the wild; so I won't impelment something that most people want to create themselves anyway. Rather, this project is designed to be used where Forms Authentication doesn't work well. This means that using something other than GUIDs is easy, Implementing a custom user database(or using an existing database) is straight forward, and tying it to your database can be done in less than 200 lines of code in most cases(SQL Server UserStore is 171 lines). Keep in mind also though, that FSCAuth can be used as a base for creating your own custom authentication system. The source code is provided with every paid license.

What's included?

1. The main authentication module(source code and assembly)
2. Generic in-memory list UserStore implementation
3. SQL Server UserStore
4. ASP.Net Login custom control
5. ASP.Net Logout custom control
6. ASP.Net example web application

Note: In the demo version, source code for FSCAuth and FSCAuth.Extensions is not included. FSCAuth.Example source code is provided.

Compatability

• Framework versions: Mono 2.0 or greater(possibly works with earlier verions), .Net 2.0 and greater(below 2.0 must degrade to Managed SHA256)
• Windows OS support: Windows XP(1), Server 2003, Server 2008, Vista, and 7. (32 and 64 bit)
• *nix OS support: Linux, OpenBSD (should work in other OSs as well with mono)
• Servers: mono-xsp, Cassini, IIS6(2), IIS7, IIS7.5, Apache with mod_mono
• Comes with example UserStores for SQL Server and MongoDB. They are easy to adapt to custom needs.
• Runs within Medium Trust(3)
• Works equally well for both Webforms and ASP.Net MVC
• Runs without modifications in a web cluster(no secret caching is done behind the scenes)

Notes: 1. Using Windows XP, you must degrade to the Managed SHA256 implementation due to lack of OS support 2. Using IIS6, I have not yet found a way to protect static files 3. In medium trust, CustomErrorsFixer does not work, which fixes error pages to return the proper HTTP status code. AuthPage must be populated with the 401 error page if using HTTP Basic Auth in Medium Trust.

More documentation:

• A MongoDB example UserStore
• The semi-formal specification of how each value is salted and hashed
• FSCAuth's Doxygen API reference
• SQL Server UserStore

You can also stay up to date by following the FSCAuth tag on my blog

Support

If you need to report a bug, feature request, or any other support related to FSCAuth, please use This Form.

I've had to revamp quite a few things in this next release of FSCAuth to accommodate BCrypt, but overall, I think it makes things cleaner and flexible anyway.

So if you want to use BCrypt, it's pretty easy to do now. First off, a new change is that HasherInvoker is now a delegate used for computing hashes and it is now capable of "keeping track" of salts, such as is required for BCrypt. You could do it probably without converting BCrypt to a HashAlgorithm, but it's how I did it... so..

First, get the HashAlogrithm interface for BCrypt.Net: GalacticJello at StackOverflow kindly provided it for me.

Next, you just need a new HasherInvoker function for FSCAuth:

    static HashWithSalt BCryptHashHander(string plain, string salt)
    {
        var v=new HashWithSalt();
        BCryptHasher hash=new BCryptHasher();
        if(salt==null){
            v.Text=HashHelper.FromBytes(hash.ComputeHash(HashHelper.ToBytes(plain)));
            v.Salt=hash.Salt;
        }else{
            hash.Salt=salt;
            v.Text=HashHelper.FromBytes(hash.ComputeHash(HashHelper.ToBytes(plain)));
        }
        return v;
    }

Fairly simple at least. And then just assign it to Authentication:

Authentication.HasherInvoker = BCryptHashHander;

You could extend on this to put in a WorkFactor and other such things pretty easily as well. The only possible thing in FSCAuth to break it might be HashIterations being more than one. But for BCrypt, you should really only have this at 1 and increase the WorkFactor if you need it slower

BSD Licensed code :)

Copyright (c) 2011 Jordan "Earlz/hckr83" Earls http://lastyearswishes.com All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.