FSCAuth 1.1 Introduction

What is FSCAuth?

FSCAuth is short of Fast, Secure, and Concise Authentication. It's designed to be a flexible replacement for ASP.Net Forms Authentication. It is designed around a very minimalistic interface to your database, IUserStore.

Why use FSCAuth?

The main reason I use FSCAuth is that it saves me time and I don't have to use as much code to describe how I want it to react. I created it initially because ASP.Net Forms Authentication required too much work for a trivial login system. Everyone has basically said there are only two options for authentication, ASP.Net Forms Auth or roll your own. Well, I've rolled my own so that people have a third option now.

How does it save time?

FSCAuth is very straight forward to use. Just glancing over the Intellisense documentation is generally enough to get started. For setup only 2 fields must be populated in Global.asax and a UserStore must be implemented(which is only 4 easy functions). After that, you're ready to show off awesome code like this:

protected void Page_Load(object sender, EventArgs e){ //the load event for my secret page
  //Some secret stuff you don't want to show to people
  Authentication.RequiresInGroup("secret"); //will throw an HTTP 403 error if they are not in the group and redirect them to your 403 error page.
}

or even

protected void Page_Load(object sender, EventArgs e){
  if(Authentication.IsAuthenticated){
    AuthenticatedPanel.Visible=false;
  }else{
    AuthenticatedPanel.Visible=true;
  }
}

On top of this easy, but fine grained authorization, you also NEVER have to worry about handling cookies or HTTP Basic Auth yourself. The only thing that developers using FSCAuth have to worry about is the UserStore.

Is it secure?

Right from the beginning Fast, Secure, and Concise Authentication was designed to be fool proof for security. I never make you implement any low level details of the authentication. This makes it so that there is much less risk in extending your authentication system. It was designed to be secure enough that even if a dump of the database behind it got leaked, your user's credentials would be safe, and hackers would still not be capable of logging in. All passwords are hashed and salted. All login cookies are practically impossible to forge with today's hardware.

Don't take my word for it though; check out the source code. With every paid license full source code is included. The source code is not overly complex and at the core is only a few hundred lines including comments. If you look at it and think I did a horrible job, then return it. Binpress offers a 14 day money back guarantee.

Is it fast?

Speed is the wrong word to use for an authentication framework. I prefer efficiency. One of FSCAuth's best points is that only 1 database hit is required for everything except for creating a user. It can actually be made to not require a database hit depending on how the UserStore is implemented. FSCAuth plays nice with caching.

By default, FSCAuth uses SHA256 for hashing, which is the most common hashing algorithm for passwords right now. If you prefer a slower hashing method(for security) you can either change algorithms to any hash algorithm that implements System.Security.Cryptography.HashAlgorithm, or you can change the number of iterations the hash algorithm is used (default is 1).

Also, there is no need for a persistence of session state. So no extra memory used on your servers, nor messy tables in your database. This is a "stateless" authentication system.

What's capable?

This library is capable, of course, of adding and authenticating users. It also includes simple one-line checks for operations such as checking if a user is logged in, and checking if they are enrolled in a group. Also included in the latest release is the ability to use HTTP Basic Authentication just as simply as you'd use cookie based authentication.

Limitations

Well, I have to tell you, FSCAuth isn't perfect, but it's pretty close to the needs I've seen. Currently, FSCAuth lacks quite a few features supplied by ASP.Net Forms Authentication. Some of this is by design and some of it will be implemented in a later release. Anyway, FSCAuth doesn't implement any of the following: Emailing a user their password, a ready-made user registration wizard, controlling authorization with attributes on functions and classes, password strength requirements, Windows/Passport authentication, Role/Task/Group multilevel support (there is only groups), and probably quite a bit more. Most of the lacking features are by design. I've never seen the built-in registration wizard used on an ASP.Net site in the wild; so I won't impelment something that most people want to create themselves anyway. Rather, this project is designed to be used where Forms Authentication doesn't work well. This means that using something other than GUIDs is easy, Implementing a custom user database(or using an existing database) is straight forward, and tying it to your database can be done in less than 200 lines of code in most cases(SQL Server UserStore is 171 lines). Keep in mind also though, that FSCAuth can be used as a base for creating your own custom authentication system. The source code is provided with every paid license.

What's included?

  1. The main authentication module(source code and assembly)
  2. Generic in-memory list UserStore implementation
  3. SQL Server UserStore
  4. ASP.Net Login custom control
  5. ASP.Net Logout custom control
  6. ASP.Net example web application

Note: In the demo version, source code for FSCAuth and FSCAuth.Extensions is not included. FSCAuth.Example source code is provided.

Compatability

  • Framework versions: Mono 2.0 or greater(possibly works with earlier verions), .Net 2.0 and greater(below 2.0 must degrade to Managed SHA256)
  • Windows OS support: Windows XP(1), Server 2003, Server 2008, Vista, and 7. (32 and 64 bit)
  • *nix OS support: Linux, OpenBSD (should work in other OSs as well with mono)
  • Servers: mono-xsp, Cassini, IIS6(2), IIS7, IIS7.5, Apache with mod_mono
  • Comes with example UserStores for SQL Server and MongoDB. They are easy to adapt to custom needs.
  • Runs within Medium Trust(3)
  • Works equally well for both Webforms and ASP.Net MVC
  • Runs without modifications in a web cluster(no secret caching is done behind the scenes)

Notes: 1. Using Windows XP, you must degrade to the Managed SHA256 implementation due to lack of OS support 2. Using IIS6, I have not yet found a way to protect static files 3. In medium trust, CustomErrorsFixer does not work, which fixes error pages to return the proper HTTP status code. AuthPage must be populated with the 401 error page if using HTTP Basic Auth in Medium Trust.

More documentation:

You can also stay up to date by following the FSCAuth tag on my blog

Support

If you need to report a bug, feature request, or any other support related to FSCAuth, please use This Form.

Posted: 7/25/2011 2:43:16 AM

Comments

Posting comments is currently disabled(probably due to spam)