FSCAuth

FSCAuth

Released 4 years ago , Last update 2 years ago

A fast, secure, concise, and yet, complete authentication implementation in ASP.Net

What is FSCAuth?

FSCAuth is short of Fast, Secure, and Concise Authentication. It's designed to be a flexible replacement for ASP.Net Forms Authentication. It is designed around a very minimalistic interface to your database, IUserStore.

Licensing

FSCAuth is 3-clause BSD licensed. This means it's free for commercial use! The paid options are for support.

Why use FSCAuth?

The main reason I use FSCAuth is that it saves me time and I don't have to use as much code to describe how I want it to react. I created it initially because ASP.Net Forms Authentication required too much work for a trivial login system. Everyone has basically said there are only two options for authentication, ASP.Net Forms Auth or roll your own. Well, I've rolled my own so that people have a third option now.

How does it save time?

FSCAuth is very straight forward to use. Just glancing over the Intellisense documentation is generally enough to get started. For setup only 2 fields must be populated in Global.asax and a UserStore must be implemented(which is only 4 easy functions). After that, you're ready to show off awesome code like this:

protected void Page_Load(object sender, EventArgs e){ //the load event for my secret page
  //Some secret stuff you don't want to show to people
  Authentication.RequiresInGroup("secret"); //will throw an HTTP 403 error if they are not in the group and redirect them to your 403 error page.
}

or even

protected void Page_Load(object sender, EventArgs e){
  if(Authentication.IsAuthenticated){
    AuthenticatedPanel.Visible=false;
  }else{
    AuthenticatedPanel.Visible=true;
  }
}

On top of this easy, but fine grained authorization, you also NEVER have to worry about handling cookies or HTTP Basic Auth yourself. The only thing that developers using FSCAuth have to worry about is the UserStore.

Is it secure?

Right from the beginning Fast, Secure, and Concise Authentication was designed to be fool proof for security. I never make you implement any low level details of the authentication. This makes it so that there is much less risk in extending your authentication system. It was designed to be secure enough that even if a dump of the database behind it got leaked, your user's credentials would be safe, and hackers would still not be capable of logging in. All passwords are hashed and salted. All login cookies are practically impossible to forge with today's hardware.

Don't take my word for it though; check out the source code. The source code is not overly complex and at the core is only a few hundred lines including comments.

Is it fast?

Speed is the wrong word to use for an authentication framework. I prefer efficiency. One of FSCAuth's best points is that only 1 database hit is required for everything except for creating a user. It can actually be made to not require a database hit depending on how the UserStore is implemented. FSCAuth plays nice with caching.

By default, FSCAuth uses SHA256 for hashing, which is the most common hashing algorithm for passwords right now. If you prefer a slower hashing method(for security) you can either change algorithms to any hash algorithm that implements System.Security.Cryptography.HashAlgorithm, or you can change the number of iterations the hash algorithm is used (default is 1). Also, BCrypt hashing is supported. See this blog post

There is no need for a persistence of session state. So no extra memory is used on your servers, nor messy tables in your database. This is a "stateless" authentication system.

What's capable?

This library is capable, of course, of adding and authenticating users. It also includes simple one-line checks for operations such as checking if a user is logged in, and checking if they are enrolled in a group. Also included in the latest release is the ability to use HTTP Basic Authentication just as simply as you'd use cookie based authentication.

Limitations

Well, I have to tell you, FSCAuth isn't perfect, but it's pretty close to the needs I've seen. Currently, FSCAuth lacks quite a few features supplied by ASP.Net Forms Authentication. Some of this is by design and some of it will be implemented in a later release. Anyway, FSCAuth doesn't implement any of the following: Emailing a user their password, a ready-made user registration wizard, controlling authorization with attributes on functions and classes, password strength requirements, Windows/Passport authentication, Role/Task/Group multilevel support (there is only groups), and probably quite a bit more. Most of the lacking features are by design. I've never seen the built-in registration wizard used on an ASP.Net site in the wild; so I won't implement something that most people want to create themselves anyway. Rather, this project is designed to be used where Forms Authentication doesn't work well. This means that using something other than GUIDs is easy, Implementing a custom user database(or using an existing database) is straight forward, and tying it to your database can be done in less than 200 lines of code in most cases(SQL Server UserStore is 171 lines). Keep in mind also though, that FSCAuth can be used as a base for creating your own custom authentication system. The source code is provided with every paid license.

What's included?

  1. The main authentication module(source code and assembly)
  2. Generic in-memory list UserStore implementation
  3. SQL Server UserStore
  4. ASP.Net Login custom control
  5. ASP.Net Logout custom control
  6. ASP.Net example web application

Compatibility

  • Framework versions: Mono 2.0 or greater(possibly works with earlier versions), .Net 2.0 and greater(below 2.0 must degrade to Managed SHA256)
  • Windows OS support: Windows XP(1), Server 2003, Server 2008, Vista, and 7. (32 and 64 bit)
  • *nix OS support: Linux, OpenBSD (should work in other OSs as well with mono)
  • Servers: mono-xsp, Cassini, IIS6(2), IIS7, IIS7.5, Apache with mod_mono
  • Comes with example UserStores for SQL Server and MongoDB. They are easy to adapt to custom needs.
  • Runs within Medium Trust(3)
  • Works equally well for both Webforms and ASP.Net MVC
  • Runs without modifications in a web cluster(no secret caching is done behind the scenes)

Notes:

  1. Using Windows XP, you must degrade to the Managed SHA256 implementation due to lack of OS support
  2. Using IIS6, I have not yet found a way to protect static files
  3. In medium trust, CustomErrorsFixer does not work, which fixes error pages to return the proper HTTP status code. AuthPage must be populated with the 401 error page if using HTTP Basic Auth in Medium Trust.

More documentation:

Pricing

FREE

BSD license

The BSD license is an open-source license.

FAQ

Q: Can I use FSCAuth without making my project GPL licensed and open source?

A: Not without buying a commercial license. GPL prohibits linking GPL projects with non-GPL projects, but commercial licenses are cheap!

Q: I have to use a legacy database.Can I still take advantage of FSCAuth?

A: YES! FSCAuth was designed to work just as well with a database not explicitly designed for it. The only constraint is that there must be a UniqueID that will fit into a string for each user. Because you have control over each field in UserData you can also override things and make it so that FSCAuth will work across a plain text database. However, I don't recommend it and instead recommend you just reset all of your passwords and add a Salt column to your database if one doesn't exist yet.

Q: What if a user needs to recover their password?

A: The only way to recover a password is to store it in plain text or encrypted. As such, this is not supported for this library. I recommend instead generating a random password and sending this to the user instead so that they can reset their password to what they wish.

Q: How do I change the Hashing Algorithm? Why do I need a delegate?

A: To give you full control over how hashes are created and to accomodate "tracked" salts as used in BCrypt, you must create a new function and assign it to HasherInvoker. This is the default hasher:

        static HashWithSalt DefaultHasher(string plain, string salt)
    {
        var v=new HashWithSalt();
        if(salt==null){
            v.Salt=HashHelper.GetSalt(SaltLength);
        }else{
            v.Salt=salt;
        }
        HashAlgorithm hash;
        if(SupportsUnmanagedCrypto){
            hash=new SHA256CryptoServiceProvider();
        }else{
            hash=new SHA256Managed();
        }
        v.Text=HashHelper.FromBytes(hash.ComputeHash(HashHelper.ToBytes(plain+v.Salt)));
        return v;
    }

With this, it should be simple to implement any hashing algorithm.

Q: What if I want the UniqueHash stored in my web.config?

A: Don't fill in Authentication.UniqueHash in the code, and the FSCAuth library will look in your web.config under appSettings. For instance, if this is in web.config, it will use myhash as the value of UniqueHash:

<appSettings>
  <add name="FSCAuth_UniqueHash" value="myhash" />
</appSettings>

Note: This doesn't work under most Medium Trust installations, so for medium trust you must populate it in code.

Q: How do I use HTTP Basic Authentication?

A: If you only want it for one page and not every page, then in the Page_Load(or similar) just use Authentication.RequiresLogin(true);. The true option means to use Basic Auth. If no one is logged in, then at this line it will send the HTTP 401 Authentication Required error code.

If, however, you prefer to use HTTP Basic Auth "by-default", then use Authentication.UseBasicAuthByDefault=true;. This will make it so Authentication.RequiresLogin(); will use Basic Auth. To use cookie based authentication instead somewhere else, you can use Authentication.RequiresLogin(false);

Q: Can I have more than the fields you provide for UserData or GroupData?

A: Yes! All that must be done is descend from the class and use your new class in the UserStore. Note: Not every UserStore will require modifications to persist the extra fields, however, the provided SQL Server UserStore will require modifications to persist the extra fields.

Q: How can I protect static files?

A: Right now, it's not the easiest thing in the world. I plan to make this easier in the next release, but here is how to work around it: Assuming IIS 7 or Apache(or some other server which always calls Global.asax even for static file requests), you must match the requested path against a regular expression or similar:

protected virtual void Application_BeginRequest (Object sender, EventArgs e){
  if (Context.Request.Path.ToLower() == "/private")
  {
    Authentication.RequiresLogin();
  }
}

Q: What if I want to change my hashing algorithm or UniqueHash?

A: Currently, it's not possible without resetting every user's password. However, there is a small bit of a workaround. You can modify things so that when a user logs in, since you know their password because it solved the old hash, you can set the new hash using the password they just logged in with. FSCAuth doesn't have this functionality built in however.

Q: Can I use Bcrypt as my hashing algorithm?

A: Yes! Please see this blog post

Q: Why don't you provide more UserStores?

A: I don't plan on providing any more past Memory, SQL Server, and MongoDB. The reason is because UserStores usually have to be implemented from scratch regardless to fit with how your website is designed. I don't want to provide code that has no use.

Q: Why are people logged into my site using Basic Authentication?

A: Basically, whenever a user logs in initially through Basic Authentication, the web browser sends the user credentials on every page requested. If you have HttpRealm set, then this enables code that will check the credentials the browser sends and log in the user if it's the correct login information. It is not possible to limit some pages to only cookies and some pages to only Basic authentication within the same website. (note: if you send RequiresLogin(false) then you won't get an HTTP Basic login prompt, but if you were to force your web browser to send the Basic Authentication headers, they'd log you in)

Q: Why can't I log out a user that logged in using Basic Authentication?

A: This is by fault of the HTTP standard. Basically, there is no way for your server to send a message to the user's web browser that it should stop sending credentials. You can see this Stackoverflow question for a work around though.

Q: Can I limit how many times a user can try to login?

A: Not at the moment. I've been working on an extension which will only let users attempt to login a set amount of times with it getting exponentially slower with each failed attempt, but currently it's not ready for production use. I plan on putting it in with the next release however.

Q: Do I need to transport everything over HTTPS?

A: Short answer; Probably. Unless you are using throw away credentials that don't actually matter, then use HTTPS at least when you POST back to login. If you use HTTP Basic authentication, you NEED to use HTTPS for everything because the username and password is sent over in clear text for every single request. It's not technically required, but it's defeating all of your security if you don't use HTTPS where user credentials are sent.

Q: Where format does the UniqueHash property have to be in?

A: It doesn't matter. Just make sure it's long and no one can guess it. I personally prefer to use Random.org to generate me a random string.

Q: Can I cache items in the UserStore?

A: You must be careful about it, but you can. The only concern you should have is that if you delete a user or change their information(especially password hash and/or salt), then you must be sure to flush the cache for that user. This is extremely simple to do in a single server setup, but more care must be taken in a multi-server setup.

Q: I have an odd condition where I need to put in a user not authorized message. How do I do that?

A: Just do throw new HttpException(403, "Forbidden"); For instance, to block a certain user from a page

if(CurrentUser.Username=="Bobby Drop Tables"){
  throw new HttpException(403, "Forbidden");
}

Note: If you have a "catch-all" type error page, be sure that you set it up both as the 500(catch all), 403, and 401 error pages in the web.config, otherwise, you'll have the problem described below.

Q: What does the CustomErrorsFixer class do?

A: This class will fix a bug in some configurations of ASP.Net/mono in which instead of showing the current error page with the correct HTTP status code, instead it will do an HTTP redirect to the error page. This causes a massive amount of SEO problems including search engines indexing your login page and other pages that shouldn't be indexed. Pages which aren't anonymously accessible will be indexed in the search engine as either your login page or your 403 Forbidden page. Due to problems in medium trust, this class won't work within a medium trust environment. You should setup a robots.txt file to mitigate this problem in medium trust.

IIS 6 Considerations

In IIS6, it is not currently possible(as far as I can see, that is) to protect static files. For instance, if you have a private upload directory, you'll have to make the folder inaccessible within IIS6 and provide a "wrapper" page to download files from if you wish to protect it with FSCAuth.

MemoryUserStore doesn't behave well under IIS 6. To compensate, you must have it setup so that only 1 worker thread will run. Otherwise, each request will alternate between two different MemoryUserStore instances.

2 licenses, starting from From » FREE View Licenses

Get A Quote

What do you need?
  • Custom development
  • Integration
  • Customization / Reskinning
  • Consultation
When do you need it?
  • Soon
  • Next week
  • Next month
  • Anytime

Thanks for getting in touch!

Your quote details have been received and we'll get back to you soon.


Or enter your name and Email
No comments have been posted yet.