Also checkout my blogs on: PMP | C# | SQL | Personal

  Friday, December 23, 2005

Intro to Authentication

Authentication: Is also synonymous with Login.

Various types of Authentication:
  • Windows Authentication: Mostly used for Intranet sites as all the users must have a windows account. So, if you are creating a website like yahoo mail or something, this is not for you.
  • Forms Based Authentication: Mostly used over internet. Yahoo mail uses this kind of authentication. You don’t need a windows account. Users register themselves, create a userid and pwd and then use the same to log in. You store userid and pwd in a database and when user logs in, check against the database and authenticate / reject.
  • Passport Authentication: This is nothing but forms based authentication, but the userid and pwd will be stored with Microsoft. Very rarely used.
  • Custom Authentication: This is my own technique. When the user registers, collect the email id. Then send an email with a link, clicking on which the user will be automatically authenticated. The link expires after the first click, that way even if the link stays in the browser cache, no one will use it. When they log out, send another link to their email. There are some drawbacks, but if don’t want to maintain userid and pwd with you and get rid of all the authentication process, this is easy. Most importantly, the user will not have another password to remember. This works for a normal site, but should not be used with sites that requires extra security like using SSL.

More on each of the authentication Techniques later.

Tuesday, December 20, 2005

Damn introduction

Every damn thing has an introduction. Here is my Damn introduction. Future posts in this blog will cover the bolded items of the following in detail. So, read, write back if you have any queries else, stay tuned for more…

I do not intend to cover ASP.NET 2.0 here. It deserves its own blog and it is on the way.

So far, in almost all the cases, a web application involves. I am ignoring the static html websites.

  • Reading Data from a Database and Showing it to user in the browser
  • Updating the Database by collecting data from the browser

Yes, it is that simple. If you know the above, you sure can say, you know 80% of the skill required to create a web application. Digging one layer further, in almost all the cases, the following would be required. Not all websites are created for everyone’s use unlike So, the following two controls the accessibility.

  • Authentication: Allow only specific set of users, say employees, to use your website.
  • Authorization: Once a user is authenticated, perform one more layer of control. Not every page in the website is for every employee. There may be HR pages that should be accessible to only HR guys. So, control based on the user profile.
  • State Maintenance: As we all know, web operates in a stateless environment, where the connection between the user computer and webserver is lost the moment a response is sent to user’s computer by the web server. So, there arises a need for something called “Session Maintenance”. After all we don’t want users to login in each of the pages nor, we want them to have a pen & paper to write down list of items they are willing to buy on the website as they navigate through different webpages.

    Just that’s it. Ya. Thatz all. Those are minimum things required. However, there are other things that would come into picture depending how big your application is.
  • Encryption: Encoding all the contents of a request and response so that no body on the internet can view our data. We use SSL for that.
  • Multi-tiering : If there is lot of processing to be done for each request on the webserver, may it is worth doing some of the processing in a different computer. Often referred to as “App Server”. By sharing the load, WebServer will have enough capacity to accept new request and make the website available all the time. So, one has to know “Remoting” techniques to be able to make their application Multi-tier. Web-Service is popular “Remoting” techniques.
  • Logging & Error Handling: Mistake do happen. People may try to divide a number by zero. That doesn’t mean the website crash or show unpleasant error to user ? So, warn the user where necessary and keep a log of the error encountered. Error happen for variety reasons. May be database server is down or busy. So, write these unpleasant events in to a log and it will be easy to know at the end of the day of the error.
  • Performance Testing / Load Testing: Before you release your website, do a load testing so to make sure it will with stand when the maximum traffic hits your site.
    Client side error handling: Javascript is needed to do this. Useful uses would be forcing user to enter data in all the fields, validating email id for its format, may be validating date. We can do all this in the user computer instead of sending all the way to webserver to figure out that the user didn’t enter correct details.
  • IIS
  • Traffic tracking
  • Code publishing
  • Content Publishing
  • Health Monitoring

    Stay tuned.